Chrome's root store policy now requires dedicated CA hierarchies exclusively for TLS server authentication, ending support for client authentication, S/MIME, and code signing by June 2026. Major CAs like DigiCert and Sectigo have already stopped issuing multipurpose certificates. While this strengthens Web PKI security by preventing cross-purpose certificate misuse, it creates challenges for mTLS use cases and threatens Certificate Transparency coverage as new Internet PKI hierarchies emerge without CT requirements. The change highlights the need for a comprehensive public root program that can enforce CT and security standards across all PKI use cases beyond just browser traffic.
Sort: