Repository of Documentation and Certificates

The Google Public Key Infrastructure (“Google PKI”), has been established by Google Trust Services, LLC (“Google”), to enable reliable and secure identity authentication, and to facilitate the preservation of confidentiality and integrity of data in electronic transactions.

CA certificates

Root CAs

Name Public Key Fingerprint (SHA1) Valid Until Links Tests
GTS Root R1 RSA 4096, SHA-384 e1:c9:50:e6:ef:22:f8:4c:56:45:72:8b:92:20:60:d7:d5:a7:a3:e8 Jun 22, 2036 DER CRL g r e
GTS Root R2 RSA 4096, SHA-384 d2:73:96:2a:2a:5e:39:9f:73:3f:e1:c7:1e:64:3f:03:38:34:fc:4d Jun 22, 2036 DER CRL g r e
GTS Root R3 ECC 384, SHA-384 30:d4:24:6f:07:ff:db:91:89:8a:0b:e9:49:66:11:eb:8c:5e:46:e5 Jun 22, 2036 DER CRL g r e
GTS Root R4 ECC 384, SHA-384 2a:1d:60:27:d9:4a:b1:0a:1c:4d:91:5c:cd:33:a0:cb:3e:2d:54:cb Jun 22, 2036 DER CRL g r e
GS Root R2 RSA 2048, SHA-1 75:e0:ab:b6:13:85:12:27:1c:04:f8:5f:dd:de:38:e4:b7:24:2e:fe Dec 15, 2021 DER CRL g r e
GS Root R4 ECC 256, SHA-256 69:69:56:2e:40:80:f4:24:a1:e7:19:9f:14:ba:f3:ee:58:ab:6a:bb Jan 19, 2038 DER CRL g r e

You can test whether your products are compatible with our roots by following the test links for each root.

Subordinate CAs

Issuer Name Public Key Fingerprint (SHA1) Valid Until Links
GTS Root R1 GTSX1 RSA 2048, SHA-256 0f:d1:f2:00:9d:51:01:1d:23:f8:72:96:27:90:d1:c8:23:44:33:6f Jun 22, 2026 DER CRL
GTSY1 RSA 2048, SHA-256 cd:88:fa:9d:ca:57:2c:5b:8c:3e:ed:3d:a2:e2:62:45:75:46:3f:30 Nov 1, 2028 DER
GTS Root R2 GTSX2 RSA 2048, SHA-256 29:35:6c:48:6b:b0:e2:ec:8a:0f:c9:0b:ed:73:b8:fa:1d:c1:13:df Jun 22, 2026 DER CRL
GTSY2 RSA 2048, SHA-256 ee:4b:6b:b1:8f:4c:d1:53:2e:59:1a:19:51:39:49:b1:bf:96:a8:fb Nov 1, 2028 DER
GTS Root R3 GTSX3 RSA 2048, SHA-256 c1:dd:09:28:69:8b:06:c6:fb:1f:7c:db:10:03:d8:7b:51:26:11:ae Jun 22, 2026 DER CRL
GTSY3 ECC 256, SHA-256 75:72:16:d7:5c:e5:f4:0f:b2:04:88:66:61:db:1e:4a:8f:93:4d:a7 Nov 1, 2028 DER
GTS Root R4 GTSX4 RSA 2048, SHA-256 e0:fb:04:9e:23:c6:59:20:8b:62:33:68:a0:d2:61:e3:9a:42:18:b2 Jun 22, 2026 DER CRL
GTSY4 ECC 256, SHA-256 d3:a5:8b:0a:c2:c6:20:bc:5c:87:aa:9b:ba:d4:c2:15:13:07:04:e2 Nov 1, 2028 DER
GS Root R2 GIAG3 RSA 2048, SHA-256 31:36:88:50:36:18:ae:78:17:b5:05:75:c5:a6:26:94:24:f9:ce:6e Dec 15, 2021 DER CRL
GTS GIAG3 RSA 2048, SHA-256 ee:ac:bd:0c:b4:52:81:95:77:91:1e:1e:62:03:db:26:2f:84:a3:18 Dec 15, 2021 DER CRL
GTS CA 1O1 RSA 2048, SHA-256 df:e2:07:0c:79:e7:ff:36:a9:25:ff:a3:27:ff:e3:de:ec:f8:f9:c2 Dec 15, 2021 DER CRL
GTS CA 1D2 RSA 2048, SHA-256 88:4c:fc:da:54:38:5a:12:43:5e:84:7a:5f:6b:16:7a:8c:be:1e:41 Dec 15, 2021 DER
GIAG4 RSA 2048, SHA-256 bd:1f:9a:24:e0:7d:4b:35:72:6e:d7:f0:65:7a:6f:d9:47:1a:06:72 Dec 15, 2021 DER
GS Root R4 GIAG3 ECC ECC 256, SHA-256 e0:f8:0b:f7:01:28:7c:00:51:00:c9:15:c9:f4:3b:21:19:d9:cf:96 Jun 15, 2027 DER CRL
GIAG4 ECC ECC 256, SHA-256 67:5c:c5:44:ce:97:be:5f:a8:27:9e:6a:d7:1a:b6:3b:fb:4f:9a:ab Nov 1, 2028 DER

Externally operated subordinate CAs

The following (only non-revoked and non-expired) certificates have a CA listed above as the issuer.

Name Public Key Fingerprint (SHA1) Valid Until Links
GS EV CA SHA2 G2 RSA 2048, SHA-256 65:be:10:2b:e2:69:28:65:0e:0e:f5:4d:c8:f4:f1:5a:f5:f9:8e:8b Dec 15, 2021 DER
Audit Statement

Third-party subordinate CAs

The following CAs have been created by external CAs upon Google request, but are not part of Google PKI.

Name Public Key Fingerprint (SHA1) Valid Until Links
Google CA1 RSA 2048, SHA-256 0d:16:ea:80:3b:21:58:d8:c5:e7:5b:86:7a:5c:4d:83:bf:5b:34:d8 Aug 25, 2025 DER
GTS CA 1D3 RSA 2048, SHA-256 d7:e5:70:07:59:c3:cd:c6:38:e3:db:2d:b1:dd:14:67:2a:cd:6d:b7 May 28, 2021 DER

Private CAs, not included in Root programs

The following constrained CAs are operated by Google for special purposes. They are not included in Root programs and are not covered by WebTrust audits.

Name Public Key Fingerprint (SHA1) Valid Until Links
GTS LTSR ECC 256, SHA-256 d5:8c:a7:a1:b4:1f:f8:fe:4d:63:7f:ee:ff:ae:50:4a:aa:ff:4f:6f Nov 1, 2042 DER
GTS LTSX1 ECC 256, SHA-256 ef:2b:94:0d:82:a9:66:23:e7:94:34:c9:a8:bd:72:89:51:7d:24:85 Nov 1, 2028 DER

Reporting Incidents

If you are looking to report a security incident involving Google certificates, please follow the steps outlined at Google security and product safety.


Contact the Google PKI team at

Audit Reports

WebTrust Trust Services Criteria for CAs seal WebTrust for CAs Baseline Requirements seal