In order to make testing as easy as possible we have set up https://­cert-test.­sandbox.­google.­com , which requires points 1–3 to be met in order to make a successful connection. Thus, if your TLS client can’t connect to that host then you need to update your libraries or configuration.

No longer serving a cross-sign to Equifax

At the moment the certificate chains that Google properties serve most often include a cross-sign from our CA, GeoTrust, to our previous CA, Equifax. This allows clients that only trust our previous CA to continue to function. However, this cross-sign is only a transitional workaround for such clients and we will be removing it in the future. Clients that include our required set of root CAs (at https://pki.google.com/roots.pem ) will not be affected, but any that don’t include the needed GeoTrust root may stop working.