Repository of Documentation and Certificates

The Google Public Key Infrastructure (“Google PKI”), has been established by Google Trust Services, LLC (“Google”), to enable reliable and secure identity authentication, and to facilitate the preservation of confidentiality and integrity of data in electronic transactions.

CA certificates

Root CAs

Name Public Key Fingerprint (SHA1) Valid Until Links Tests
GTS Root R1 RSA 4096 e1:c9:50:e6:ef:22:f8:4c:56:45:72:8b:92:20:60:d7:d5:a7:a3:e8 Jun 22, 2036 DER CRL g r e
GTS Root R2 RSA 4096 d2:73:96:2a:2a:5e:39:9f:73:3f:e1:c7:1e:64:3f:03:38:34:fc:4d Jun 22, 2036 DER CRL g r e
GTS Root R3 ECC 384 30:d4:24:6f:07:ff:db:91:89:8a:0b:e9:49:66:11:eb:8c:5e:46:e5 Jun 22, 2036 DER CRL g r e
GTS Root R4 ECC 384 2a:1d:60:27:d9:4a:b1:0a:1c:4d:91:5c:cd:33:a0:cb:3e:2d:54:cb Jun 22, 2036 DER CRL g r e
GS Root R2 RSA 2048 75:e0:ab:b6:13:85:12:27:1c:04:f8:5f:dd:de:38:e4:b7:24:2e:fe Dec 15, 2021 DER CRL g r e
GS Root R4 ECC 256 69:69:56:2e:40:80:f4:24:a1:e7:19:9f:14:ba:f3:ee:58:ab:6a:bb Jan 19, 2038 DER CRL g r e

You can test whether your products are compatible with our roots by following the test links for each root.

Cross-signed Root CAs

Name Cross-signed by Public Key Fingerprint (SHA1) Valid Until Links Tests
GTS Root R1 GlobalSign Root CA RSA 4096 77:bd:0d:6c:db:36:f9:1a:ea:21:0f:c4:f0:58:d3:0d Jan 28, 2028 DER CRL g r e

Subordinate CAs

Issuer Name Public Key Fingerprint (SHA1) Valid Until Links
GTS Root R1 GTSY1 RSA 2048 cd:88:fa:9d:ca:57:2c:5b:8c:3e:ed:3d:a2:e2:62:45:75:46:3f:30 Nov 1, 2028 DER CRL
GTS Root R2 GTSY2 RSA 2048 ee:4b:6b:b1:8f:4c:d1:53:2e:59:1a:19:51:39:49:b1:bf:96:a8:fb Nov 1, 2028 DER CRL
GTS Root R3 GTSY3 ECC 256 76:2c:6a:94:dc:8a:51:34:84:84:9d:6a:60:10:27:7d:0f:ff:97:2a Jan 30, 2030 DER CRL
GTS Root R4 GTSY4 ECC 256 6b:2b:4a:95:87:8c:f5:a9:42:f6:4c:f3:d5:45:f7:70:c8:2b:14:19 Jan 30, 2030 DER CRL
GS Root R2 GTS CA 1O1 RSA 2048 df:e2:07:0c:79:e7:ff:36:a9:25:ff:a3:27:ff:e3:de:ec:f8:f9:c2 Dec 15, 2021 DER CRL
GTS CA 1D2 RSA 2048 88:4c:fc:da:54:38:5a:12:43:5e:84:7a:5f:6b:16:7a:8c:be:1e:41 Dec 15, 2021 DER CRL
GIAG4 RSA 2048 bd:1f:9a:24:e0:7d:4b:35:72:6e:d7:f0:65:7a:6f:d9:47:1a:06:72 Dec 15, 2021 DER CRL
GS Root R4 GIAG4 ECC ECC 256 67:5c:c5:44:ce:97:be:5f:a8:27:9e:6a:d7:1a:b6:3b:fb:4f:9a:ab Nov 1, 2028 DER CRL

Externally operated subordinate CAs

The following (only non-revoked and non-expired) certificates have a CA listed above as the issuer.

We no longer have non-revoked, non-expired, externally operated subordinate CAs.

Third-party subordinate CAs

The following CAs have been created by external CAs upon Google request, but are not part of Google PKI.

Name Public Key Fingerprint (SHA1) Valid Until Links
Google CA1 RSA 2048 0d:16:ea:80:3b:21:58:d8:c5:e7:5b:86:7a:5c:4d:83:bf:5b:34:d8 Aug 25, 2025 DER
GTS CA 1D3 RSA 2048 d7:e5:70:07:59:c3:cd:c6:38:e3:db:2d:b1:dd:14:67:2a:cd:6d:b7 May 28, 2021 DER

Private CAs, not included in Root programs

The following constrained CAs are operated by Google for special purposes. They are not included in Root programs and are not covered by WebTrust audits.

Name Public Key Fingerprint (SHA1) Valid Until Links
GTS LTSR ECC 256 d5:8c:a7:a1:b4:1f:f8:fe:4d:63:7f:ee:ff:ae:50:4a:aa:ff:4f:6f Nov 1, 2042 DER
GTS LTSX ECC 256 86:01:b1:60:2d:dc:3b:a8:af:b9:92:82:83:d0:d7:d7:70:30:66:83 Apr 1, 2029 DER

Reporting Incidents

If you are looking to report a security incident involving Google certificates, please follow the steps outlined at Google security and product safety.

Contact

Contact the Google PKI team at contact@pki.goog. We will use the information you give us to respond to your request and to improve our services subject to Google's general privacy policy.

Audit Reports

WebTrust Trust Services Criteria for CAs seal WebTrust for CAs Baseline Requirements seal