Google Maps Platform Root CA migration [186840968]

Fixed

Process

Status Update

No update yet.

Description

jh...@google.com

created issue #1

Apr 30, 2021 12:49PM

Dear Developers,

As announced on March 15 2021 on the Google Security Blog, GS Root R2, the root CA Google Maps Platform has used since early 2018 will expire on December 15, 2021. Therefore, our services must switch to certificates issued by another certificate authority, GTS Root R1 Cross, and developers should expect that their Google Maps Platform clients will authenticate against this CA in the coming years. To smooth this transition, GTS Root R1 Cross is cross-signed both by Google's own GTS Root R1 and GlobalSign Root CA - R1.

This means that our services will gradually transition to TLS leaf certificates issued by this new CA.

Almost all modern TLS clients and systems are already preconfigured with the GTS Root R1 certificate or should receive it via normal software updates, and GlobalSign Root CA - R1 should even be available on older legacy systems.

However, you should verify your systems at least if both the following points apply:

your services run on non-standard or legacy platforms and/or you maintain your own root certificates store
you did not take action in 2017-2018, during the first phase of Google's root CA migration, or you did not install the full set of certificates from the trusted Google root CA bundle

Tip: To future-proof your application, we recommend you add all certificates from the curated list in trusted Google root CA bundle to your root certificates store, and make a habit of keeping the two in sync.

Important: If your services are unable to connect to Google Maps Platform services because of this Root CA migration, section What to do in a production outage in our newly updated Google Maps Platform Root CA Migration FAQ provides further instructions.

Note: We are aware of some customers having reported difficulties connecting to Google Maps Platform servers under the the googleapis.com domain following an experiment using certificates issued by GTS Root R1 Cross rolling out to a limited number of Google frontend servers. We initiated a rollback of this experiment following these reports, but you should expect the rollout to resume on the week of May 24, 2021.

For further tips and context, please refer to the updated Google Maps Platform Root CA Migration FAQ.

Comments

vi...@google.com <vi...@google.com> May 5, 2021 10:00AM

Reassigned to vi...@google.com.

ma...@google.com <ma...@google.com> #2May 20, 2021 02:41PM

This is to confirm that we plan to resume the rollout of the new cross-signed root CA certificate as described in #comment1.

The rollout will be very gradual, with incremental launches across the Google Maps Platform services and regions, and its phases will proceed depending on engineering evaluations rather than by a defined timetable. The change will be transparent to the vast majority of Google Maps Platform API clients, including all mainstream maintained OS versions.

For more information, please see the FAQ resources listed in #comment1, including the "What to do in a production outage" link which points to primary resolution steps and support information.

jh...@google.com <jh...@google.com> #3Aug 9, 2021 02:15PM

We have been made aware of several customer issues in the past few days with SSL/TLS due to this rollout having resumed.

At this stage, the best course of action is to ensure that your client TLS stack can dynamically work with intermediary certificates signed by any of the (~40) root CAs from

https://pki.goog/roots.pem.

In other words, the root CA signing intermediary certificates for requests to

https://maps.googleapis.com/* cannot be assumed to be static, nor can the set of root CAs be expected not to change before they expire.

We have published FAQs at the following addresses:

https://pki.goog/faq/ is more high-level, and

https://developers.google.com/maps/root-ca-faq is more technical.

Message last modified on Aug 10, 2021 01:31PM

jh...@google.com <jh...@google.com> #4Aug 11, 2021 10:04AM

Please note that many tools will only display and/or import the first certificate from

https://pki.goog/roots.pem, which will not be sufficient to fix this situation.
Here are several sources that can be used to help you split the root.pem file into 1 file per certificate, if required by your tooling and software environment:

-

https://developers.google.com/maps/root-ca-faq#how_do_i_extract_individual_certificates_from_rootspem
-

https://geeklah.com/working_with_pem_files.html
-

https://stackoverflow.com/questions/14660767/keytool-importing-multiple-certificates-in-single-file

As an immediate fix to get your Google Maps Platform requests working again, the main certificate to install is the "GTS Root R1" certificate, which begins at line 896 in the current roots.pem file. Please note that this issue may reoccur in the future if you don't install all the certificates.

vi...@google.com <vi...@google.com> #5Aug 17, 2021 03:25PM

To help customers using Java or Mozilla NSS, we have updated the Java keytool and NSS certutil sections in our Google Maps Platform Root CA Migration FAQ with hands-on instructions for managing your certificate stores using both of these tools.

vi...@google.com <vi...@google.com> #6Sep 1, 2021 12:12PM

Marked as fixed.

Dear developers, the new GTS Root R1 Cross certificates have now fully rolled out to all Google Maps Platform services.

Issue 186840968