the Chromium logo

The Chromium Projects

Apply for Inclusion

Last updated: 2023-01-25

The Chrome Root Program policy defines the minimum requirements that must be met by Certification Authority (CA) owners for both initial and continued inclusion in the Chrome Root Store.

Google includes or removes self-signed root CA certificates in the Chrome Root Store as it deems appropriate at its sole discretion. The selection and ongoing inclusion of CA certificates is done to enhance the security of Chrome and promote interoperability. CA certificates that do not provide a broad service to all browser users will not be added to, or may be removed from the Chrome Root Store. CA certificates included in the Chrome Root Store must provide value to Chrome end users that exceeds the risk of their continued inclusion.

Inclusion Processing

The Chrome Root Program and corresponding Root Store processes inclusion requests and requests for changes through the Common CA Database (CCADB). CA owners who satisfy all of the requirements in the Chrome Root Program policy may apply.

The application process includes:

  1. A CA owner requests and gains access to CCADB (if not already granted access).
  2. A CA owner adds a root CA certificate to CCADB and completes an “Add/Update Root Request” in CCADB, with all tabs populated with information.
  3. A CA owner submits a “Root Inclusion Request” in CCADB.
  4. The Chrome Root Program performs an initial review of the information included in CCADB to ensure completeness and compliance with the minimum requirements.
  5. A CCADB public discussion period ensues.
  6. The Chrome Root Program performs a detailed review of all information provided in CCADB and publicly available (to include output from the CCADB public discussion).
  7. The Chrome Root Program makes a final determination and communicates it to the CA owner.

Typically, applications are processed on a first-in, first-out basis, with priority given to those replacing an existing root CA certificate already included in the Chrome Root Store. The Chrome Root Program takes as much time to process applications as needed to ensure user security, and makes no guarantees on application processing time. The Chrome Root Program may apply additional application review weighting criteria as it sees necessary or valuable to Chrome user security. At any point, the Chrome Root Program may contact the applicant during its review seeking additional or clarifying information. Applicants are expected to provide the requested information in a timely manner.

Ultimately, in order for a CA owner’s inclusion request to be accepted, it must clearly demonstrate the value proposition for the security and privacy of Chrome’s end users exceeds the corresponding risk of inclusion.

Root CA certificates approved for distribution will be added to the Chrome Root Store on approximately, but not limited to, a quarterly basis. However, the Chrome Root Program offers no guarantees related to the timeliness of CA certificate distribution.

Inclusion Rejection

The Chrome Root Program will reject inclusion requests where an applicant does not meet the minimum requirements defined by the Chrome Root Program policy.

The Chrome Root Program may reject requests for inclusion into the Chrome Root Store as deemed appropriate, and is not obligated to justify any inclusion decision.

Illustrative factors for application rejection may include:

Actions in this list are only illustrative and considerations for rejection are not limited to this list.

Depending on the reason for application rejection, the Chrome Root Program, at its sole discretion, may: