Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities

Disables enforcing Certificate Transparency requirements for a list of Legacy Certificate Authorities.

This policy allows disabling Certificate Transparency disclosure requirements for certificate chains that contain certificates with one of the specified subjectPublicKeyInfo hashes. This allows certificates that would otherwise be untrusted, because they were not properly publicly disclosed, to continue to be used for Enterprise hosts.

In order for Certificate Transparency enforcement to be disabled when this policy is set, the hash must be of a subjectPublicKeyInfo appearing in a CA certificate that is recognized as a Legacy Certificate Authority (CA). A Legacy CA is a CA that has been publicly trusted by default one or more operating systems supported by Google Chrome, but is not trusted by the Android Open Source Project or Google Chrome OS.

A subjectPublicKeyInfo hash is specified by concatenating the hash algorithm name, the "/" character, and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. This Base64 encoding is the same format as an SPKI Fingerprint, as defined in RFC 7469, Section 2.4. Unrecognized hash algorithms are ignored. The only supported hash algorithm at this time is "sha256".

If this policy is not set, any certificate that is required to be disclosed via Certificate Transparency will be treated as untrusted if it is not disclosed according to the Certificate Transparency policy.

Example value:


Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities

Registry PathSoftware\Policies\Google\Chrome\CertificateTransparencyEnforcementDisabledForLegacyCas
Value Name{number}
Value TypeREG_SZ
Default Value


Administrative Templates (Computers)

Administrative Templates (Users)