caption: Determines whether the built-in certificate verifier
will enforce constraints encoded into trust anchors loaded from the platform
trust store.
default: true
deprecated: true
desc: |-
X.509 certificates may encode constraints, such as Name Constraints,
in extensions in the certificate. RFC 5280 specifies that enforcing such
constraints on trust anchor certificates is optional. Starting in
<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> 112, such constraints
in certificates loaded from the platform certificate store will now be
enforced.
This policy exists as a temporary opt-out in case an enterprise encounters
issues with the constraints encoded in their private roots. In that case this
policy may be used to temporarily disable enforcement of the constraints
while correcting the certificate issues.
When this policy is not set, or is set to enabled,
<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will enforce
constraints encoded into trust anchors loaded from the platform trust store.
When this policy is set to disabled,
<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> will not enforce
constraints encoded into trust anchors loaded from the platform trust store.
In <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 112,
this policy has no effect if the
<ph name="CHROME_ROOT_STORE_ENABLED_POLICY_NAME">ChromeRootStoreEnabled</ph>
policy is disabled.
This policy was removed in
<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> version 126. Starting
that version, constraints in trust anchors are always enforced.
example_value: false
features:
dynamic_refresh: true
per_profile: false
items:
- caption: Enforce constraints in locally added trust anchors
value: true
- caption: Do not enforce constraints in locally added trust anchors
value: false
owners:
- [email protected]
- file://net/cert/OWNERS
schema:
type: boolean
supported_on:
- chrome.win:112-127
- chrome.mac:112-127
- chrome.linux:112-127
- chrome_os:112-127
tags: []
type: main
Codebase Browser
chromium