Google Trust Services provides alternate certificate chains. For a given leaf certificate, there may
be multiple validation paths to root CAs/trust anchors.
This optional feature may be useful to sites that wish to serve a shorter certificate chain
or need to test root migrations. For those not explicitly using this feature, Google Trust
Services will continue providing the chain that we believe is the best fit for standard use
cases.
As an example, Google Trust Services may provide the following chains (the trust anchors between
parentheses are not included in the certificate chains):
Leaf certificate ← WR1 ← GTS Root R1 (← GlobalSign Root CA)
This chain maximizes compatibility with legacy clients by including a GTS Root R1 cross-sign from
GlobalSign Root CA. GlobalSign Root CA is one of the most tenured root CAs. It provides the highest
compatibility for legacy clients and devices with infrequently updated trust stores.
Leaf certificate ← WR1 (← GTS Root R1)
This chain optimizes for performance by being shorter and thus requiring fewer bytes to be sent
over the wire, and one less step in the chain validation process. Nearly all modern clients and
devices include GTS Root R1 (and other GTS roots) in their trust store. Devices and clients older
than 2018 may not be compatible without a trust store update.
During the ACME protocol certificate download step, additional URLs are reflected as extra link relation
HTTP header fields as indicated in RFC 8555. ACME clients may choose to download these alternate chains
via those URLs, selecting the chain that makes the most sense for their use case.