Google certificates are issued by different CAs depending on the current business needs and best practices. Certificate chains cannot be considered static. Certificate type may also change at any time. Clients must be able to handle both RSA and ECDSA certificates. Post-quantum ciphers (PQC) and hybrid PQC will be added as soon as the CA/Browser Forum standardizes PQC parameters for the Web PKI.

Developers of applications and services connecting to Google services must take this into consideration and never hardcode Intermediate or Root Certificate Authorities. Developers should instead build a robust mechanism to update the set of CAs trusted by their applications and services.

Google services' certificates can be issued by any of the Certificate Authority from this regularly updated list. Applications connecting to Google services should trust all the Certificate Authorities from that list. Beware that some tools do not support working with a PEM file that contains multiple certificates bundled together. We also maintain a Java KeyStore version of the list.

It is recommended that developers keep their trust stores in sync with the curated root CA bundle above on at least a semi-annual basis. Having sufficient cryptographic agility and accepting all allowed certificate types is required to ensure Google services can be reached.