Mozilla

CA Program

Case Information

Subject

Root Inclusion For Google Trust Services LLC (GTS)

Bugzilla Bug (link)

https://bugzilla.mozilla.org/show_bug.cgi?id=1675821

CA Owner/Certificate Name

Google Trust Services LLC

Value Statement (Link)

Case Number

00000666

Case Record Type

Root Inclusion Request

Mozilla Request Status

Complete

CA Information

Company Website

https://pki.goog

Organizational Type

Public Corporation

Geographic Focus

Global

Primary Market / Customer Base

GTS issues server authentication, client authentication, email (both signing and encrypting), and code signing certs to the general public.

Document Repository

https://pki.goog/

Document Repository Description

Recognized CAA Domains

pki.goog, google.com

Problem Reporting Mechanism

https://pki.goog/

CA Address

1600 Amphitheatre Parkway, Mountain View, CA, United States of America, 94043

Root Certificate Record # 1

Root Certificate Information

Root Certificate Name

GTS Root R3

Root Case Number

R00001399

Mozilla Certificate Request Status

Included

Case Number

00000666

Certificate Data Extracted from PEM

Subject

CN=GTS Root R3; O=Google Trust Services LLC; C=US

Issuer

CN=GTS Root R3; O=Google Trust Services LLC; C=US

Valid From

2016 Jun 22

Valid To

2036 Jun 22

Certificate Serial Number

0203E5B882EB20F825276D3D66

SHA-1 Fingerprint

EDE571802BC892B95B833CD232683F09CDA01E46

SHA-256 Fingerprint

34D8A73EE208D9BCDB0D956520934B4E40E69482596E8B6F73C8426B010A6F48

Signature Hash Algorithm

ecdsaWithSHA384

Public Key Algorithm

EC secp384r1

SPKI SHA256

4179EDD981EF747477B49626408AF43DAA2CA7AB7F9E082C1060F84096774348

Subject + SPKI SHA256

57D88B417FB78BE305558C964B3663661EFFAF2EB6829D1D317D92001BF66C79

Application Information

Explanation and Role

Offer a highly available, secure, and scalable CA service for customers and Google.

Root Certificate Download URL

Mozilla Trust Bits

Email; Websites

Mozilla EV Policy OID(s)

N/A

Mozilla Applied Constraints

None

Self-Assessment

Self-Assessment (Link)

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Self-Assessment Completion Date

12/22/2023

Key Generation

Key Generation Date

6/22/2016

Key Generation Audit Report Date

11/17/2016

Key Generation Audit Report (Link)

https://pki.goog/ccadb/Key_Generation_Report_for_GTS_Roots_R1_R2_R3_and_R4.pdf

Audit Statements

Auditor

Ernst & Young, LLP

Auditor Location

United States

Standard Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=4bb202cb-e9eb-4f83-89d2-d630a18b9a04

Standard Audit Type

WebTrust

Standard Audit Deviation

false

Standard Audit Statement Date

10/31/2023

Standard Audit Period Start Date

10/1/2022

Standard Audit ALV Comments

Standard Audit Period End Date

9/30/2023

NetSec Audit Statement (Link)

NetSec Audit Type

NetSec Audit Deviation

false

NetSec Audit Statement Date

NetSec Audit Period Start Date

NetSec Audit Period End Date

TLS BR Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=0d38c63d-84f3-463c-a2dd-d2f5bf287856

TLS BR Audit Type

WebTrust

BR Audit Deviation

false

TLS BR Audit Statement Date

10/31/2023

TLS BR Audit Period Start Date

10/1/2022

TLS BR Audit ALV Comments

TLS BR Audit Period End Date

9/30/2023

TLS EVG Audit Statement (Link)

TLS EVG Audit Type

TLS EVG Audit Deviation

false

TLS EVG Audit Statement Date

TLS EVG Audit Period Start Date

TLS EVG Audit ALV Comments

TLS EVG Audit Period End Date

S/MIME BR Audit Statement (Link)

S/MIME BR Audit Type

S/MIME BR Audit Deviation

false

S/MIME BR Audit Statement Date

S/MIME BR Audit Period Start Date

S/MIME BR Audit Period End Date

Policy Document Record # 1

Document Type

Document Link

https://pki.goog/repo/cp-smime/2.3/GTS-CP-SMIME.html

Document Last Updated Date

3/18/2024

Associated Trust Bits

Client Authentication; Secure Email

Policy Identifiers

2.23.140.1.5.1.1; 2.23.140.1.5.1.2; 2.23.140.1.5.1.3; 2.23.140.1.5.2.1; 2.23.140.1.5.2.2; 2.23.140.1.5.2.3; 2.23.140.1.5.3.1; 2.23.140.1.5.3.2; 2.23.140.1.5.3.3; 2.23.140.1.5.4.1; 2.23.140.1.5.4.2; 2.23.140.1.5.4.3; 1.3.6.1.4.1.11129.2.5.4.1

Comments

Policy Document Record # 2

Document Type

Document Link

https://pki.goog/repo/cp/4.5/GTS-CP.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.1; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.2.3; 2.5.29.32.0; 1.3.6.1.4.1.11129.2.5.3.2

Comments

Policy Document Record # 3

Document Type

CPS

Document Link

https://pki.goog/repo/cps/5.9/GTS-CPS.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; Secure Email; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.2; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.3; 2.23.140.1.4; 1.3.6.1.4.1.11129.2.5.3.1

Comments

Policy Document Record # 4

Document Type

Other

Document Link

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Document Last Updated Date

12/22/2023

Associated Trust Bits

Server Authentication; Client Authentication; Code Signing; Document Signing; Encrypting File System; Secure Email; Time Stamping; IP Security End System; IP Security IKE Intermediate; IP Security Tunnel Termination; IP Security User; OCSP Signing; Private Key Archival

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.2; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 1.3.6.1.4.1.11129.2.5.4.1; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.2.3; 2.23.140.1.3; 2.23.140.1.4; 2.23.140.1.5.1.1; 2.23.140.1.5.1.2; 2.23.140.1.5.1.3; 2.23.140.1.5.2.1; 2.23.140.1.5.2.2; 2.23.140.1.5.2.3; 2.23.140.1.5.3.1; 2.23.140.1.5.3.2; 2.23.140.1.5.3.3; 2.23.140.1.5.4.1; 2.23.140.1.5.4.2; 2.23.140.1.5.4.3; 2.5.29.32.0; 1.3.6.1.4.1.11129.2.5.3.1

Comments

Annual compliance self assessment for 2023

CA Hierarchy Information

Cross-Signed by another Root Cert?

Cross Signed by Another CA Operator?

Has Externally Operated SubCAs?

CP/CPS allows Ext Operated SubCAs?

Has External Registration Authorities?

CP/CPS allows External RAs?

Description of PKI Hierarchy

https://pki.goog/repository/

Intended Use Case(s) Served

Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; Client Authentication 1.3.6.1.5.5.7.3.2

CA/B Forum Certificate Policy Identifier

domain-validated 2.23.140.1.2.1

TLS Certificate Domain Validation Method

3.2.2.4.7 DNS Change; 3.2.2.4.19 Agreed-Upon Change to Website - ACME; 3.2.2.4.20 TLS Using ALPN

Test Websites or Example Cert

Test Website - Valid

https://good.gtsr3.demo.pki.goog

Test Website - Expired

https://expired.gtsr3.demo.pki.goog

Test Website - Revoked

https://revoked.gtsr3.demo.pki.goog

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested

Tested with http://certificate.revocationcheck.com/

CA/Browser Forum Lint Test

Tested using https://crt.sh/ https://crt.sh/?id=3448822382&opt=cablint,x509lint,zlint cablint INFO CA certificate identified x509lint INFO Checking as root CA certificate

EV Tested

N/A

Root Certificate Record # 2

Root Certificate Information

Root Certificate Name

GlobalSign

Root Case Number

R00001402

Mozilla Certificate Request Status

Denied

Case Number

00000666

Certificate Data Extracted from PEM

Subject

CN=GlobalSign; OU=GlobalSign Root CA - R2; O=GlobalSign

Issuer

CN=GlobalSign; OU=GlobalSign Root CA - R2; O=GlobalSign

Valid From

2006 Dec 15

Valid To

2021 Dec 15

Certificate Serial Number

0203E4F461EC99D9D57966CA7A

SHA-1 Fingerprint

029D4B7E33D2838C668C1D2C569EF92A540A7B96

SHA-256 Fingerprint

69E2D06C30F366166165E91D68D1CEE5CC47584A80227E76666086C0107241EB

Signature Hash Algorithm

SHA1WithRSA

Public Key Algorithm

RSA 2048 bits

SPKI SHA256

8A27B5557B4BEC7CC0305FBF3D53D1F71CD3F34910C5D65E27ECDDB82077BA3D

Subject + SPKI SHA256

D3A1F647B28A974B318E60DFF310C76D7614C5C60F3F34CD0F7599D46D7DA0A9

Application Information

Explanation and Role

Now expired root that was part of this past Webtrust audit.

Root Certificate Download URL

Mozilla Trust Bits

Email; Websites

Mozilla EV Policy OID(s)

N/A

Mozilla Applied Constraints

None

Self-Assessment

Self-Assessment (Link)

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Self-Assessment Completion Date

12/22/2023

Key Generation

Key Generation Date

Key Generation Audit Report Date

Key Generation Audit Report (Link)

Audit Statements

Auditor

Ernst & Young, LLP

Auditor Location

United States

Standard Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=4bb202cb-e9eb-4f83-89d2-d630a18b9a04

Standard Audit Type

WebTrust

Standard Audit Deviation

false

Standard Audit Statement Date

10/31/2023

Standard Audit Period Start Date

10/1/2022

Standard Audit ALV Comments

Standard Audit Period End Date

9/30/2023

NetSec Audit Statement (Link)

NetSec Audit Type

NetSec Audit Deviation

false

NetSec Audit Statement Date

NetSec Audit Period Start Date

NetSec Audit Period End Date

TLS BR Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=0d38c63d-84f3-463c-a2dd-d2f5bf287856

TLS BR Audit Type

WebTrust

BR Audit Deviation

false

TLS BR Audit Statement Date

10/31/2023

TLS BR Audit Period Start Date

10/1/2022

TLS BR Audit ALV Comments

TLS BR Audit Period End Date

9/30/2023

TLS EVG Audit Statement (Link)

TLS EVG Audit Type

TLS EVG Audit Deviation

false

TLS EVG Audit Statement Date

TLS EVG Audit Period Start Date

TLS EVG Audit ALV Comments

TLS EVG Audit Period End Date

S/MIME BR Audit Statement (Link)

S/MIME BR Audit Type

S/MIME BR Audit Deviation

false

S/MIME BR Audit Statement Date

S/MIME BR Audit Period Start Date

S/MIME BR Audit Period End Date

Policy Document Record # 1

Document Type

Document Link

https://pki.goog/repo/cp-smime/2.3/GTS-CP-SMIME.html

Document Last Updated Date

3/18/2024

Associated Trust Bits

Client Authentication; Secure Email

Policy Identifiers

Comments

Policy Document Record # 2

Document Type

Document Link

https://pki.goog/repo/cp/4.5/GTS-CP.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.1; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.2.3; 2.5.29.32.0; 1.3.6.1.4.1.11129.2.5.3.2

Comments

Policy Document Record # 3

Document Type

CPS

Document Link

https://pki.goog/repo/cps/5.9/GTS-CPS.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; Secure Email; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.2; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.3; 2.23.140.1.4; 1.3.6.1.4.1.11129.2.5.3.1

Comments

Policy Document Record # 4

Document Type

Other

Document Link

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Document Last Updated Date

12/22/2023

Associated Trust Bits

Policy Identifiers

Comments

Annual compliance self assessment for 2023

CA Hierarchy Information

Cross-Signed by another Root Cert?

Cross Signed by Another CA Operator?

Has Externally Operated SubCAs?

CP/CPS allows Ext Operated SubCAs?

Has External Registration Authorities?

CP/CPS allows External RAs?

Description of PKI Hierarchy

pki.goog

Intended Use Case(s) Served

Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; Client Authentication 1.3.6.1.5.5.7.3.2

CA/B Forum Certificate Policy Identifier

extended-validation 2.23.140.1.1; domain-validated 2.23.140.1.2.1; organization-validated 2.23.140.1.2.2

TLS Certificate Domain Validation Method

3.2.2.4.7 DNS Change; 3.2.2.4.12 Validating Applicant as a Domain Contact; 3.2.2.4.19 Agreed-Upon Change to Website - ACME; 3.2.2.4.20 TLS Using ALPN

Test Websites or Example Cert

Test Website - Valid

Test Website - Expired

Test Website - Revoked

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested

Tested with http://certificate.revocationcheck.com/. https://certificate.revocationcheck.com/pki.goog

CA/Browser Forum Lint Test

Tested using https://crt.sh/ https://crt.sh/?id=3448659678&opt=cablint,x509lint,zlint INFO: CA certificate identified ERROR: CA certificates must include countryName in subject The new root Certificate was modelled after the existing certificate for compatibility reasons. (see https://bugzilla.mozilla.org/show_bug.cgi?id=1652581)

EV Tested

N/A

Root Certificate Record # 3

Root Certificate Information

Root Certificate Name

GlobalSign

Root Case Number

R00001403

Mozilla Certificate Request Status

Included

Case Number

00000666

Certificate Data Extracted from PEM

Subject

CN=GlobalSign; OU=GlobalSign ECC Root CA - R4; O=GlobalSign

Issuer

CN=GlobalSign; OU=GlobalSign ECC Root CA - R4; O=GlobalSign

Valid From

2012 Nov 13

Valid To

2038 Jan 19

Certificate Serial Number

0203E57EF53F93FDA50921B2A6

SHA-1 Fingerprint

6BA0B098E171EF5AADFE4815807710F4BD6F0B28

SHA-256 Fingerprint

B085D70B964F191A73E4AF0D54AE7A0E07AAFDAF9B71DD0862138AB7325A24A2

Signature Hash Algorithm

ecdsaWithSHA256

Public Key Algorithm

EC secp256r1

SPKI SHA256

08B3A6335FCE5EF48F8F0E543986C07FD18A3B1226129F61864BBD5BDD1F1CC9

Subject + SPKI SHA256

E7BE5BAB85BD4AF554B3C28287CEF885C92126334C0FFC85E6607461B815F162

Application Information

Explanation and Role

Offer a highly available, secure, and scalable CA service for customers and Google.

Root Certificate Download URL

Mozilla Trust Bits

Email; Websites

Mozilla EV Policy OID(s)

N/A

Mozilla Applied Constraints

None

Self-Assessment

Self-Assessment (Link)

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Self-Assessment Completion Date

12/22/2023

Key Generation

Key Generation Date

Key Generation Audit Report Date

Key Generation Audit Report (Link)

Audit Statements

Auditor

Ernst & Young, LLP

Auditor Location

United States

Standard Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=4bb202cb-e9eb-4f83-89d2-d630a18b9a04

Standard Audit Type

WebTrust

Standard Audit Deviation

false

Standard Audit Statement Date

10/31/2023

Standard Audit Period Start Date

10/1/2022

Standard Audit ALV Comments

Standard Audit Period End Date

9/30/2023

NetSec Audit Statement (Link)

NetSec Audit Type

NetSec Audit Deviation

false

NetSec Audit Statement Date

NetSec Audit Period Start Date

NetSec Audit Period End Date

TLS BR Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=0d38c63d-84f3-463c-a2dd-d2f5bf287856

TLS BR Audit Type

WebTrust

BR Audit Deviation

false

TLS BR Audit Statement Date

10/31/2023

TLS BR Audit Period Start Date

10/1/2022

TLS BR Audit ALV Comments

TLS BR Audit Period End Date

9/30/2023

TLS EVG Audit Statement (Link)

TLS EVG Audit Type

TLS EVG Audit Deviation

false

TLS EVG Audit Statement Date

TLS EVG Audit Period Start Date

TLS EVG Audit ALV Comments

TLS EVG Audit Period End Date

S/MIME BR Audit Statement (Link)

S/MIME BR Audit Type

S/MIME BR Audit Deviation

false

S/MIME BR Audit Statement Date

S/MIME BR Audit Period Start Date

S/MIME BR Audit Period End Date

Policy Document Record # 1

Document Type

Document Link

https://pki.goog/repo/cp-smime/2.3/GTS-CP-SMIME.html

Document Last Updated Date

3/18/2024

Associated Trust Bits

Client Authentication; Secure Email

Policy Identifiers

Comments

Policy Document Record # 2

Document Type

Document Link

https://pki.goog/repo/cp/4.5/GTS-CP.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.1; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.2.3; 2.5.29.32.0; 1.3.6.1.4.1.11129.2.5.3.2

Comments

Policy Document Record # 3

Document Type

CPS

Document Link

https://pki.goog/repo/cps/5.9/GTS-CPS.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; Secure Email; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.2; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.3; 2.23.140.1.4; 1.3.6.1.4.1.11129.2.5.3.1

Comments

Policy Document Record # 4

Document Type

Other

Document Link

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Document Last Updated Date

12/22/2023

Associated Trust Bits

Policy Identifiers

Comments

Annual compliance self assessment for 2023

CA Hierarchy Information

Cross-Signed by another Root Cert?

Cross Signed by Another CA Operator?

Has Externally Operated SubCAs?

CP/CPS allows Ext Operated SubCAs?

Has External Registration Authorities?

CP/CPS allows External RAs?

Description of PKI Hierarchy

https://pki.goog/repository/

Intended Use Case(s) Served

Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; Client Authentication 1.3.6.1.5.5.7.3.2

CA/B Forum Certificate Policy Identifier

domain-validated 2.23.140.1.2.1

TLS Certificate Domain Validation Method

3.2.2.4.7 DNS Change; 3.2.2.4.19 Agreed-Upon Change to Website - ACME; 3.2.2.4.20 TLS Using ALPN

Test Websites or Example Cert

Test Website - Valid

https://good.gsr4.demo.pki.goog

Test Website - Expired

https://expired.gsr4.demo.pki.goog

Test Website - Revoked

https://revoked.gsr4.demo.pki.goog

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested

Tested with http://certificate.revocationcheck.com/. https://certificate.revocationcheck.com/pki.goog

CA/Browser Forum Lint Test

Tested using https://crt.sh/ https://crt.sh/?id=3448815556&opt=cablint,x509lint,zlint INFO: CA certificate identified ERROR: CA certificates must include countryName in subject WARNING: CA certificates should not have a validity period greater than 25 years The new root Certificate was modelled after the existing certificate for compatibility reasons. (see https://bugzilla.mozilla.org/show_bug.cgi?id=1652581)

EV Tested

N/A

Root Certificate Record # 4

Root Certificate Information

Root Certificate Name

GTS Root R1

Root Case Number

R00001404

Mozilla Certificate Request Status

Included

Case Number

00000666

Certificate Data Extracted from PEM

Subject

CN=GTS Root R1; O=Google Trust Services LLC; C=US

Issuer

CN=GTS Root R1; O=Google Trust Services LLC; C=US

Valid From

2016 Jun 22

Valid To

2036 Jun 22

Certificate Serial Number

0203E5936F31B01349886BA217

SHA-1 Fingerprint

E58C1CC4913B38634BE9106EE3AD8E6B9DD9814A

SHA-256 Fingerprint

D947432ABDE7B7FA90FC2E6B59101B1280E0E1C7E4E40FA3C6887FFF57A7F4CF

Signature Hash Algorithm

SHA384WithRSA

Public Key Algorithm

RSA 4096 bits

SPKI SHA256

871A9194F4EED5B312FF40C84C1D524AED2F778BBFF25F138CF81F680A7ADC67

Subject + SPKI SHA256

1AB88FE2C48A31F5435F3EE3A22F354379CC1E28BDEBB3D1E702ED4817441589

Application Information

Explanation and Role

Offer a highly available, secure, and scalable CA service for customers and Google.

Root Certificate Download URL

Mozilla Trust Bits

Email; Websites

Mozilla EV Policy OID(s)

N/A

Mozilla Applied Constraints

None

Self-Assessment

Self-Assessment (Link)

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Self-Assessment Completion Date

12/22/2023

Key Generation

Key Generation Date

6/22/2016

Key Generation Audit Report Date

11/17/2016

Key Generation Audit Report (Link)

https://pki.goog/ccadb/Key_Generation_Report_for_GTS_Roots_R1_R2_R3_and_R4.pdf

Audit Statements

Auditor

Ernst & Young, LLP

Auditor Location

United States

Standard Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=4bb202cb-e9eb-4f83-89d2-d630a18b9a04

Standard Audit Type

WebTrust

Standard Audit Deviation

false

Standard Audit Statement Date

10/31/2023

Standard Audit Period Start Date

10/1/2022

Standard Audit ALV Comments

Standard Audit Period End Date

9/30/2023

NetSec Audit Statement (Link)

NetSec Audit Type

NetSec Audit Deviation

false

NetSec Audit Statement Date

NetSec Audit Period Start Date

NetSec Audit Period End Date

TLS BR Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=0d38c63d-84f3-463c-a2dd-d2f5bf287856

TLS BR Audit Type

WebTrust

BR Audit Deviation

false

TLS BR Audit Statement Date

10/31/2023

TLS BR Audit Period Start Date

10/1/2022

TLS BR Audit ALV Comments

TLS BR Audit Period End Date

9/30/2023

TLS EVG Audit Statement (Link)

TLS EVG Audit Type

TLS EVG Audit Deviation

false

TLS EVG Audit Statement Date

TLS EVG Audit Period Start Date

TLS EVG Audit ALV Comments

TLS EVG Audit Period End Date

S/MIME BR Audit Statement (Link)

S/MIME BR Audit Type

S/MIME BR Audit Deviation

false

S/MIME BR Audit Statement Date

S/MIME BR Audit Period Start Date

S/MIME BR Audit Period End Date

Policy Document Record # 1

Document Type

Document Link

https://pki.goog/repo/cp-smime/2.3/GTS-CP-SMIME.html

Document Last Updated Date

3/18/2024

Associated Trust Bits

Client Authentication; Secure Email

Policy Identifiers

Comments

Policy Document Record # 2

Document Type

Document Link

https://pki.goog/repo/cp/4.5/GTS-CP.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.1; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.2.3; 2.5.29.32.0; 1.3.6.1.4.1.11129.2.5.3.2

Comments

Policy Document Record # 3

Document Type

CPS

Document Link

https://pki.goog/repo/cps/5.9/GTS-CPS.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; Secure Email; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.2; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.3; 2.23.140.1.4; 1.3.6.1.4.1.11129.2.5.3.1

Comments

Policy Document Record # 4

Document Type

Other

Document Link

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Document Last Updated Date

12/22/2023

Associated Trust Bits

Policy Identifiers

Comments

Annual compliance self assessment for 2023

CA Hierarchy Information

Cross-Signed by another Root Cert?

Yes

Cross Signed by Another CA Operator?

Yes

Has Externally Operated SubCAs?

CP/CPS allows Ext Operated SubCAs?

Has External Registration Authorities?

CP/CPS allows External RAs?

Description of PKI Hierarchy

https://pki.goog/repository/

Intended Use Case(s) Served

Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; Client Authentication 1.3.6.1.5.5.7.3.2

CA/B Forum Certificate Policy Identifier

domain-validated 2.23.140.1.2.1

TLS Certificate Domain Validation Method

3.2.2.4.7 DNS Change; 3.2.2.4.19 Agreed-Upon Change to Website - ACME; 3.2.2.4.20 TLS Using ALPN

Test Websites or Example Cert

Test Website - Valid

https://good.gtsr1.demo.pki.goog

Test Website - Expired

https://expired.gtsr1.demo.pki.goog

Test Website - Revoked

https://revoked.gtsr1.demo.pki.goog

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested

Tested with http://certificate.revocationcheck.com/. https://certificate.revocationcheck.com/pki.goog

CA/Browser Forum Lint Test

Tested using https://crt.sh/ https://crt.sh/?id=3263026969&opt=cablint,zlint,x509lint INFO: CA certificate identified

EV Tested

N/A

Root Certificate Record # 5

Root Certificate Information

Root Certificate Name

GTS Root R2

Root Case Number

R00001405

Mozilla Certificate Request Status

Included

Case Number

00000666

Certificate Data Extracted from PEM

Subject

CN=GTS Root R2; O=Google Trust Services LLC; C=US

Issuer

CN=GTS Root R2; O=Google Trust Services LLC; C=US

Valid From

2016 Jun 22

Valid To

2036 Jun 22

Certificate Serial Number

0203E5AEC58D04251AAB1125AA

SHA-1 Fingerprint

9A44497632DBDEFAD0BCFB5A7B17BD9E56092494

SHA-256 Fingerprint

8D25CD97229DBF70356BDA4EB3CC734031E24CF00FAFCFD32DC76EB5841C7EA8

Signature Hash Algorithm

SHA384WithRSA

Public Key Algorithm

RSA 4096 bits

SPKI SHA256

55F77DE41C03792428F8D518C55104225BE43A5598D926A528AD653E1CCEC7BF

Subject + SPKI SHA256

0E5C2CB50C8CC27FF4E1C72805073A671BBC51763B8310735C6FEC3BDE93F9EB

Application Information

Explanation and Role

Offer a highly available, secure, and scalable CA service for customers and Google.

Root Certificate Download URL

Mozilla Trust Bits

Email; Websites

Mozilla EV Policy OID(s)

N/A

Mozilla Applied Constraints

None

Self-Assessment

Self-Assessment (Link)

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Self-Assessment Completion Date

12/22/2023

Key Generation

Key Generation Date

6/22/2016

Key Generation Audit Report Date

11/17/2016

Key Generation Audit Report (Link)

https://pki.goog/ccadb/Key_Generation_Report_for_GTS_Roots_R1_R2_R3_and_R4.pdf

Audit Statements

Auditor

Ernst & Young, LLP

Auditor Location

United States

Standard Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=4bb202cb-e9eb-4f83-89d2-d630a18b9a04

Standard Audit Type

WebTrust

Standard Audit Deviation

false

Standard Audit Statement Date

10/31/2023

Standard Audit Period Start Date

10/1/2022

Standard Audit ALV Comments

Standard Audit Period End Date

9/30/2023

NetSec Audit Statement (Link)

NetSec Audit Type

NetSec Audit Deviation

false

NetSec Audit Statement Date

NetSec Audit Period Start Date

NetSec Audit Period End Date

TLS BR Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=0d38c63d-84f3-463c-a2dd-d2f5bf287856

TLS BR Audit Type

WebTrust

BR Audit Deviation

false

TLS BR Audit Statement Date

10/31/2023

TLS BR Audit Period Start Date

10/1/2022

TLS BR Audit ALV Comments

TLS BR Audit Period End Date

9/30/2023

TLS EVG Audit Statement (Link)

TLS EVG Audit Type

TLS EVG Audit Deviation

false

TLS EVG Audit Statement Date

TLS EVG Audit Period Start Date

TLS EVG Audit ALV Comments

TLS EVG Audit Period End Date

S/MIME BR Audit Statement (Link)

S/MIME BR Audit Type

S/MIME BR Audit Deviation

false

S/MIME BR Audit Statement Date

S/MIME BR Audit Period Start Date

S/MIME BR Audit Period End Date

Policy Document Record # 1

Document Type

Document Link

https://pki.goog/repo/cp-smime/2.3/GTS-CP-SMIME.html

Document Last Updated Date

3/18/2024

Associated Trust Bits

Client Authentication; Secure Email

Policy Identifiers

Comments

Policy Document Record # 2

Document Type

Document Link

https://pki.goog/repo/cp/4.5/GTS-CP.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.1; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.2.3; 2.5.29.32.0; 1.3.6.1.4.1.11129.2.5.3.2

Comments

Policy Document Record # 3

Document Type

CPS

Document Link

https://pki.goog/repo/cps/5.9/GTS-CPS.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; Secure Email; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.2; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.3; 2.23.140.1.4; 1.3.6.1.4.1.11129.2.5.3.1

Comments

Policy Document Record # 4

Document Type

Other

Document Link

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Document Last Updated Date

12/22/2023

Associated Trust Bits

Policy Identifiers

Comments

Annual compliance self assessment for 2023

CA Hierarchy Information

Cross-Signed by another Root Cert?

Cross Signed by Another CA Operator?

Has Externally Operated SubCAs?

CP/CPS allows Ext Operated SubCAs?

Has External Registration Authorities?

CP/CPS allows External RAs?

Description of PKI Hierarchy

https://pki.goog/repository/

Intended Use Case(s) Served

Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; Client Authentication 1.3.6.1.5.5.7.3.2

CA/B Forum Certificate Policy Identifier

domain-validated 2.23.140.1.2.1

TLS Certificate Domain Validation Method

3.2.2.4.7 DNS Change; 3.2.2.4.19 Agreed-Upon Change to Website - ACME; 3.2.2.4.20 TLS Using ALPN

Test Websites or Example Cert

Test Website - Valid

https://good.gtsr2.demo.pki.goog

Test Website - Expired

https://expired.gtsr2.demo.pki.goog

Test Website - Revoked

https://revoked.gtsr2.demo.pki.goog

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested

Tested with http://certificate.revocationcheck.com/. https://certificate.revocationcheck.com/pki.goog

CA/Browser Forum Lint Test

Tested using https://crt.sh/ https://crt.sh/?id=3448820660&opt=cablint,x509lint,zlint INFO: CA certificate identified

EV Tested

N/A

Root Certificate Record # 6

Root Certificate Information

Root Certificate Name

GTS Root R4

Root Case Number

R00001406

Mozilla Certificate Request Status

Included

Case Number

00000666

Certificate Data Extracted from PEM

Subject

CN=GTS Root R4; O=Google Trust Services LLC; C=US

Issuer

CN=GTS Root R4; O=Google Trust Services LLC; C=US

Valid From

2016 Jun 22

Valid To

2036 Jun 22

Certificate Serial Number

0203E5C068EF631A9C72905052

SHA-1 Fingerprint

77D30367B5E00C15F60C3861DF7CE13B92464D47

SHA-256 Fingerprint

349DFA4058C5E263123B398AE795573C4E1313C83FE68F93556CD5E8031B3C7D

Signature Hash Algorithm

ecdsaWithSHA384

Public Key Algorithm

EC secp384r1

SPKI SHA256

9847E5653E5E9E847516E5CB818606AA7544A19BE67FD7366D506988E8D84347

Subject + SPKI SHA256

20579A7FA60179758D7F5914C1EDCDA977B8FD70D1CA28A1613FD5FD37EA4591

Application Information

Explanation and Role

Offer a highly available, secure, and scalable CA service for customers and Google.

Root Certificate Download URL

Mozilla Trust Bits

Email; Websites

Mozilla EV Policy OID(s)

N/A

Mozilla Applied Constraints

None

Self-Assessment

Self-Assessment (Link)

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Self-Assessment Completion Date

12/22/2023

Key Generation

Key Generation Date

6/22/2016

Key Generation Audit Report Date

11/17/2016

Key Generation Audit Report (Link)

https://pki.goog/ccadb/Key_Generation_Report_for_GTS_Roots_R1_R2_R3_and_R4.pdf

Audit Statements

Auditor

Ernst & Young, LLP

Auditor Location

United States

Standard Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=4bb202cb-e9eb-4f83-89d2-d630a18b9a04

Standard Audit Type

WebTrust

Standard Audit Deviation

false

Standard Audit Statement Date

10/31/2023

Standard Audit Period Start Date

10/1/2022

Standard Audit ALV Comments

Standard Audit Period End Date

9/30/2023

NetSec Audit Statement (Link)

NetSec Audit Type

NetSec Audit Deviation

false

NetSec Audit Statement Date

NetSec Audit Period Start Date

NetSec Audit Period End Date

TLS BR Audit Statement (Link)

https://cpa.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=0d38c63d-84f3-463c-a2dd-d2f5bf287856

TLS BR Audit Type

WebTrust

BR Audit Deviation

false

TLS BR Audit Statement Date

10/31/2023

TLS BR Audit Period Start Date

10/1/2022

TLS BR Audit ALV Comments

TLS BR Audit Period End Date

9/30/2023

TLS EVG Audit Statement (Link)

TLS EVG Audit Type

TLS EVG Audit Deviation

false

TLS EVG Audit Statement Date

TLS EVG Audit Period Start Date

TLS EVG Audit ALV Comments

TLS EVG Audit Period End Date

S/MIME BR Audit Statement (Link)

S/MIME BR Audit Type

S/MIME BR Audit Deviation

false

S/MIME BR Audit Statement Date

S/MIME BR Audit Period Start Date

S/MIME BR Audit Period End Date

Policy Document Record # 1

Document Type

Document Link

https://pki.goog/repo/cp-smime/2.3/GTS-CP-SMIME.html

Document Last Updated Date

3/18/2024

Associated Trust Bits

Client Authentication; Secure Email

Policy Identifiers

Comments

Policy Document Record # 2

Document Type

Document Link

https://pki.goog/repo/cp/4.5/GTS-CP.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.1; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.2.3; 2.5.29.32.0; 1.3.6.1.4.1.11129.2.5.3.2

Comments

Policy Document Record # 3

Document Type

CPS

Document Link

https://pki.goog/repo/cps/5.9/GTS-CPS.html

Document Last Updated Date

5/10/2024

Associated Trust Bits

Server Authentication; Client Authentication; Secure Email; OCSP Signing

Policy Identifiers

1.3.6.1.4.1.11129.2.5.3.2; 1.3.6.1.4.1.11129.2.5.3.3; 1.3.6.1.4.1.11129.2.5.3.4; 2.23.140.1.1; 2.23.140.1.2.1; 2.23.140.1.2.2; 2.23.140.1.3; 2.23.140.1.4; 1.3.6.1.4.1.11129.2.5.3.1

Comments

Policy Document Record # 4

Document Type

Other

Document Link

https://docs.google.com/spreadsheets/d/1OvIJq6Yzq0f7JpBCXGEZ8gLiwdngDBQ2REANOMjaKOQ/

Document Last Updated Date

12/22/2023

Associated Trust Bits

Policy Identifiers

Comments

Annual compliance self assessment for 2023

CA Hierarchy Information

Cross-Signed by another Root Cert?

Cross Signed by Another CA Operator?

Has Externally Operated SubCAs?

CP/CPS allows Ext Operated SubCAs?

Has External Registration Authorities?

CP/CPS allows External RAs?

Description of PKI Hierarchy

https://pki.goog/repository/

Intended Use Case(s) Served

Server Authentication (TLS) 1.3.6.1.5.5.7.3.1; Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4; Client Authentication 1.3.6.1.5.5.7.3.2

CA/B Forum Certificate Policy Identifier

domain-validated 2.23.140.1.2.1

TLS Certificate Domain Validation Method

3.2.2.4.7 DNS Change; 3.2.2.4.19 Agreed-Upon Change to Website - ACME; 3.2.2.4.20 TLS Using ALPN

Test Websites or Example Cert

Test Website - Valid

https://good.gtsr4.demo.pki.goog

Test Website - Expired

https://expired.gtsr4.demo.pki.goog

Test Website - Revoked

https://revoked.gtsr4.demo.pki.goog

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested

Tested with http://certificate.revocationcheck.com/

CA/Browser Forum Lint Test

Tested using https://crt.sh/ https://crt.sh/?id=3263026968&opt=cablint,x509lint,zlint cablint INFO CA certificate identified x509lint INFO Checking as root CA certificate

EV Tested

N/A