Google Chrome to Distrust Chunghwa Telecom and Netlock Certificate Authorities (CAs)—What’s Next? – Source: securityboulevard.com

Recently, Google announced that starting August 1, 2025, the Google Chrome browser will no longer trust TLS certificates issued by Chunghwa Telecom and Netlock Certificate Authorities (CAs). According to Google, the decision follows a pattern of compliance failures and a lack of measurable progress in addressing publicly reported issues.

Chunghwa Telecom is Taiwan’s largest integrated telecom service provider and operates a public Certificate Authority (CA) called ePKI, which issues digital certificates for secure web communications. Netlock, based in Hungary, is a specialized CA offering digital certification services, including TLS/SSL certificates, electronic signatures, and time stamping.

Any certificates issued by these CAs on or before July 31, 2025, will remain valid. However, certificates issued after that date will trigger browser warnings—like the dreaded “Your connection isn’t private” alert—creating trust issues for website visitors. Google intends to roll out these changes with Chrome 139, scheduled for release in early August.

Why Is Google Distrusting These CAs?

Google’s decision to distrust Chunghwa Telecom and Netlock CAs wasn’t made lightly. Citing the reasons for distrust, Google stated, “Over the past several months and years, we have observed a pattern of compliance failures, unmet improvement commitments, and the absence of tangible, measurable progress in response to publicly disclosed incident reports. When these factors are considered in aggregate and considered against the inherent risk each publicly-trusted CA poses to the internet, continued public trust is no longer justified.”

What Should Affected Website Owners Do?

If you’re using certificates from either Chunghwa Telecom or Netlock, Google strongly recommends switching to a new, publicly trusted CA as soon as possible—ideally before your current certificates expire, if that is after July 31, 2025. Doing so helps avoid trust warnings and service disruptions and outages on your websites and internet applications.

While it’s technically possible to reissue certificates from either of the two distrusted CAs before the August 1, 2025, deadline to buy more time, that’s only a temporary fix. You’ll still need to complete a full migration eventually—and the longer you wait, the higher the risk of service disruptions.

Another CA Distrust Incident. Another CA Migration. How to Be Ready?

This isn’t the first time Google has pulled trust from a CA—and it likely won’t be the last.

Just last year, Google distrusted the Entrust CA. Thousands of organizations that relied on TLS certificates from Entrust were forced into a fast-paced migration to a new trusted public CA before the November deadline (in just about 4 months!). It was stressful, chaotic, and, for many, still ongoing.

In the broader picture, Google’s move should be welcomed as it reinforces the high standards expected of CAs and sends a clear message: trust must be earned through transparency, security, and accountability. That said, the responsibility for ensuring digital trust doesn’t end with browser vendors. Organizations must also step up—by implementing a multi-CA strategy and embedding CA agility and crypto-agility into their Certificate Lifecycle Management (CLM) practices.

• Multi-CA Strategy: As CA distrust and revocation incidents become more frequent, relying on a single CA is increasingly risky. If that CA is distrusted or revoked—you’re scrambling to replace every certificate across every application. Instead, avoid CA lock-in by working with multiple trusted CAs—so if one fails, only a portion of your certificates are affected, minimizing the overall impact. It’s equally important to have other CAs set up alongside your primary issuing CA. Since onboarding a new public CA can take time due to legal agreements and setup processes, having fallback CAs ready to go ensures you can respond quickly in the event of a CA distrust.
• CA-Agility and Crypto-Agility: CA-agility refers to the ability to quickly and seamlessly switch issuing CAs—whether public or private—to minimize the impact of a compromise or distrust event. It’s part of broader crypto-agility, which enables organizations to swap cryptographic assets (like algorithms and keys) without disrupting operations.

Why CA Migrations Are So Challenging?

Migrating from one CA to another is not just about setting up new CAs. It often means revoking and replacing thousands of certificates (across various certificate types and endpoints), retiring CA-related services, and coordinating efforts across multiple teams and systems.

Without a robust CLM solution, this process is prone to errors, bottlenecks, and missed deadlines. IT and security teams come under immense pressure, and the risk of certificate outages can ripple across applications and services.

Consider the recent Entrust CA distrust. For many enterprises operating without an automated CLM solution, CA migration has been a painful and complex process.

• End users had to reinstall multiple certificates (like S/MIME and client certificates), hampering productivity
• Failed certificate installs flooded IT with support tickets
• Internal services using private TLS certificates needed a complete “rip-and-replace” across internal servers

AppViewX AVX ONE CLM Simplifies CA Migrations with Crypto and CA-Agility

Whether you’re affected by the Entrust, Chunghwa Telecom, or Netlock CA distrust—or simply want to be ready for the next one—here’s how AppViewX can help.

AppViewX AVX ONE CLM, a comprehensive certificate lifecycle management automation solution, delivers crypto- and CA-agility to make the whole process simple and fast through:

Visibility:

• Automatically discover and build a consolidated inventory of all certificates (public and private trust)
• From your consolidated inventory, easily identify and filter vulnerable certificates from distrusted CAs for targeted remediation

Automation:

• From the list of impacted certificates–automate your CA and certificate migration, including reissuance, replacement, and revocation
• Use the unique CA Switch feature to automatically re-provision and reinstall new certificates directly from new CA(s) in place of impacted certificates
• Leverage CA-agnostic automation to reissue new certificates from various publicly trusted CAs
• Leverage closed-loop automation workflows with enterprise ACME support to ensure end-to-end automated TLS certificate issuance and renewal

Control:

• Define and automatically enforce policies around the use of approved Certificate Authorities, crypto-standards, validity periods, and more
• Ensure compliance and simplify audits with role-based access control (RBAC) and detailed audit trails

Stay Secure, Stay Agile.

Browsers play a critical role in enforcing accountability and raising the bar for Certificate Authorities. But, their safeguards only go so far.

For organizations, true resilience comes from being prepared—by diversifying your CA portfolio, automating certificate lifecycle management, and embedding crypto-agility into your CLM strategy. That’s how you stay ahead of the next CA distrust event.

Check out the AVX ONE CLM: Seamless CA Switch Capability Datasheet to see how AppViewX is making CA migrations fast and frictionless.

Already impacted by Entrust, Chunghwa Telecom, or Netlock? talk to one of our experts today to make the switch with confidence.

*** This is a Security Bloggers Network syndicated blog from Blogs Archive – AppViewX authored by Krupa Patil. Read the original post at: https://www.appviewx.com/blogs/google-chrome-to-distrust-chunghwa-telecom-and-netlock-certificate-authorities-cas-whats-next/