Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities

Setting the policy turns off enforcement of Certificate Transparency disclosure requirements for a list of Legacy Certificate Authorities (CA) for certificate chains with a specified subjectPublicKeyInfo hash. Enterprise hosts can keep using certificates that otherwise wouldn't be trusted (because they weren't properly publicly disclosed). To turn off enforcement, the subjectPublicKeyInfo hash must appear in a CA certificate recognized as a Legacy CA. A Legacy CA is publicly trusted by one or more operating systems supported by Google Chrome, but not Android Open Source Project or Google Chrome OS.

Specify a subjectPublicKeyInfo hash by linking the hash algorithm name, a slash and the Base64 encoding of that hash algorithm applied to the DER-encoded subjectPublicKeyInfo of the specified certificate. Base64 encoding format matches that of an SPKI Fingerprint. The only recognized hash algorithm is sha256; others are ignored.

Leaving the policy unset means that if certificates requiring disclosure through Certificate Transparency aren't disclosed, then Google Chrome doesn't trust those certificates.

Example value:

sha256/AAAAAAAAAAAAAAAAAAAAAA==
sha256//////////////////////w==

Supported on: At least Microsoft Windows 7 or Windows Server 2008 family

Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities

Registry HiveHKEY_CURRENT_USER
Registry PathSoftware\Policies\Google\ChromeOS\CertificateTransparencyEnforcementDisabledForLegacyCas
Value Name{number}
Value TypeREG_SZ
Default Value

chromeos.admx

Administrative Templates (Computers)

Administrative Templates (Users)