Jump to Content
Get in touch Download Chrome

Get advanced security protections with Chrome Enterprise Premium. Learn more.

Filters and search
Any Platform
Chrome 134

  • Chrome 135 (Beta)

  • Chrome 134

  • Chrome 133

  • Chrome 132

  • Chrome 131

  • Chrome 130

  • Chrome 129

  • Chrome 128

  • Chrome 127

  • Chrome 126

  • Chrome 125

  • Chrome 124

Accessibility settings
Allow or deny screen capture
Android settings
Borealis
Certificate management settings
Class management tools Settings
Cloud Reporting
CloudUpload
Content settings
Date and time
Default search provider
Desk Connector Settings
Device update settings
Display
Drive
EDU settings
Extensions
First-Party Sets Settings
Gaia user identity management settings
Generative AI
Google Assistant
Google Cast
HTTP authentication
Idle Browser Actions
Kerberos
Kiosk settings
Legacy Browser Support
Linux container
Local user data storage
Microsoft® Active Directory® management settings
Miscellaneous
Native Messaging
Network File Shares settings
Network settings
Parental supervision settings
Password manager
PluginVm
Power and shutdown
Power management
Printing
Privacy Sandbox policies
Privacy screen settings
Private network request settings
Quick Answers
Quick unlock
Related Website Sets Settings
Remote access
Remote attestation
Safe Browsing settings
Saml user identity management settings
Screencast
Screensaver Settings
Sign-in settings
Startup, Home page and New Tab page
User and device reporting
WebRtc settings

CertificateTransparencyEnforcementDisabledForCas

Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes

Supported on:

  • Google Chrome (Linux, Mac, Windows) since version 67
  • Google ChromeOS (Google ChromeOS) since version 67
  • Google Chrome (Android) since version 67

    • Description:

    Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of subjectPublicKeyInfo hashes. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the hash must meet one of these conditions:

    * It's of the server certificate's subjectPublicKeyInfo.

    * It's of a subjectPublicKeyInfo that appears in a Certificate Authority (CA) certificate in the certificate chain. That CA certificate is constrained through the X.509v3 nameConstraints extension, one or more directoryName nameConstraints are present in the permittedSubtrees, and the directoryName has an organizationName attribute.

    * It's of a subjectPublicKeyInfo that appears in a CA certificate in the certificate chain, the CA certificate has one or more organizationName attributes in the certificate Subject, and the server's certificate has the same number of organizationName attributes, in the same order, and with byte-for-byte identical values.

    Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a slash, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.

    Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.

    Supported features:

    • Dynamic Policy Refresh : Yes
    • Per Profile : Yes

    Data type:

    List of strings Android:string

    Windows registry location: 

    Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas
    Copied to clipboard

    Mac/Linux preference name: 

    CertificateTransparencyEnforcementDisabledForCas
    Copied to clipboard

    Android restriction name: 

    CertificateTransparencyEnforcementDisabledForCas
    Copied to clipboard

    Example value (Windows): 

    Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas\1 = sha256/AAAAAAAAAAAAAAAAAAAAAA==
Software\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForCas\2 = sha256//////////////////////w==
    Copied to clipboard

    Example value (ChromeOS with Active Directory management): 

    line 1 = sha256/AAAAAAAAAAAAAAAAAAAAAA==
line 2 = sha256//////////////////////w==
    Copied to clipboard

    Example value (Linux): 

    [
 "sha256/AAAAAAAAAAAAAAAAAAAAAA==",
 "sha256//////////////////////w=="
]
    Copied to clipboard

    Example value (Android): 

    [
 "sha256/AAAAAAAAAAAAAAAAAAAAAA==",
 "sha256//////////////////////w=="
]
    Copied to clipboard

    Example value (Mac): 

    <array>
<string>sha256/AAAAAAAAAAAAAAAAAAAAAA==</string>
<string>sha256//////////////////////w==</string>
</array>
    Copied to clipboard

    More policies under Miscellaneous

    Follow us