Repository

Download certificates and learn more about our policies and issuance practices.

Which Certificate Authorities (CA) does Google Trust Services operate?

Google Trust Services operates a number of CAs in accordance with our Certificate Practices Statement (CPS) and Certificate Policy (CP).

Certificate Practices Statement (CPS)

Our Certificate Practices Statement provides information about the types of certificates we issue, and how we ensure they are trusted.

Download the GTS CPS <version> for certificates issued on or after <date>

Certificate Policy (CP)

Our Certificate Policy states which organizations belong to the Google Trust Services public key infrastructure (PKI) and defines what their roles and duties are.

Download the GTS CP <version> for certificates issued on or after <date>

Your rights and responsibilities

Use of Google Trust Services is subject to the Subscriber Agreement and the Relying Party Agreement.

Subscriber Agreement

The Subscriber Agreement describes your responsibilities as a user who has requested a certificate.

Download the Subscriber Agreement <version> for certificates issued on or after <date>

Relying Party Agreement

The Relying Party Agreement describes the responsibilities of everyone who relies on a certificate that the service has issued for a website.

Download the Relying Party Agreement <version> for certificates issued on or after <date>

Download CA certificates

Root CAs

You can test whether your products are compatible with our roots by following the test links for each root.

We do not currently operate root CAs.

Subordinate CAs

The following CAs have been created to support direct or indirect certificate issuance.

We do not currently operate subordinate CAs.

Externally operated subordinate CAs

The following non-revoked, non-expired subordinate CAs are externally operated.

We do not currently have non-revoked, non-expired, externally operated subordinate CAs.

Third-party subordinate CAs

The following CAs have been created by external CAs upon Google's request, but are not part of the Google PKI.

We do not currently have non-revoked, non-expired, externally operated subordinate CAs.

Private CAs, not included in Root programs

The following CAs are operated by Google for special purposes. They are not included in Root programs and are not covered by WebTrust audits.

Technically constrained CAs

The following CAs are technically constrained. They are not covered by WebTrust audits.

Historical Root CAs

The following Root CAs have been deprecated.

We do not currently have non-expired deprecated Root CAs.

Revoked subordinate CAs

The following subordinate CAs have been revoked.

We do not currently have non-expired revoked subordinate CAs.