What minimum versions of operating systems and browsers are compatible with Google-managed SSL certificates?

Question

Issuers of SSL certificates usually provide documentation of what minimum versions of OSes and browsers are supported by their solutions.

Examples:

However, I was not able to find such documentation for the Google-managed SSL certificates.

I understand that it partially depends on the SSL policy but it must also depend on whether the root certificate that Google uses is in the given OS or browser root certificate store, right?

So what are the exact minimum versions of OSes and browsers that are supported by Google's certificates?

Update 1: maybe I was not specific enough at first, but I meant the minimum versions of these OSes and browsers. Sorry, but answers like "Windows, MacOS, Linux and majors browsers" do not cut it - this is obvious.

score 5 · Answer 1 · answered Jun 22 '23 at 18:57

Google-managed SSL certificates are usually made to work smoothly with modern browsers and operating systems so that they're recognized and trusted. As long as the root certificate of Google Trust Services is in the root certificate store of your browser or operating system, you should be good to go with the SSL certificates issued by Google.

score 1 · Answer 2 · answered Jun 22 '23 at 23:40

Google Managed certificates works with most operating systems and browsers such as Windows, Linux, Chrome, Mozilla, Edge and other chromium based browsers just to name a few. These certificates are issued by Google's own Certificate Authority, that is trusted by major operating systems and browsers, so they should generally work without a problem.

score 1 · Answer 3 · answered Jun 30 '23 at 01:58

As there is no authoritative published information, one way to get the answer you need is to simply test it. SSL Labs have a very good SSL Server Test which you can use to scan a site backed by a Google Managed SSL certificate. You can scan something you host or probably is acceptable to also pick any of the Google-issued sites from a transparency report.

With respect to interoperability, the "Certification Paths" section lists the compatibility with the popular CA stores, and the "Handshake Simulation", sample below, would demonstrate the interoperability with a wide range of systems and libraries. Sample (from a Google-managed SSL-backed certificate site below):

Android 2.3.7   No SNI 2               Server sent fatal alert: handshake_failure
Android 4.0.4                          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.1.1                          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.2.2                          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.3                            RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Android 4.4.2                          RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 5.0.0                          RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 6.0                            RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Android 7.0                            RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Android 8.0                            RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Android 8.1                            -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Android 9.0                            -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Baidu Jan 2015                         RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
BingPreview Jan 2015                   RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 49 / XP SP3                     RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Chrome 69 / Win 7  R                   RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Chrome 70 / Win 10                     -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH x25519  FS
Chrome 80 / Win 10  R                  -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH x25519  FS
Firefox 31.3.0 ESR / Win 7             RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 47 / Win 7  R                  RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 49 / XP SP3                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Firefox 62 / Win 7  R                  RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Firefox 73 / Win 10  R                 -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH x25519  FS
Googlebot Feb 2018                     RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
IE 7 / Vista                           RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 8 / XP   No FS 1   No SNI 2         Server sent fatal alert: handshake_failure
IE 8-10 / Win 7  R                     RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 7  R                       RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 8.1  R                     RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 10 / Win Phone 8.0                  RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1  R               RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win Phone 8.1 Update  R        RSA 2048 (SHA256)  TLS 1.2 > http/1.1    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
IE 11 / Win 10  R                      RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Edge 15 / Win 10  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 16 / Win 10  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 18 / Win 10  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH x25519  FS
Edge 13 / Win Phone 10  R              RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 6u45   No SNI 2                   Server sent fatal alert: handshake_failure
Java 7u25                              RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Java 8u161                             RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 11.0.3                            -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH secp256r1  FS
Java 12.0.1                            -                  TLS 1.3               TLS_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 0.9.8y                         RSA 2048 (SHA256)  TLS 1.0               TLS_RSA_WITH_AES_128_CBC_SHA  No FS
OpenSSL 1.0.1l  R                      RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.0.2s  R                      RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
OpenSSL 1.1.0k  R                      RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
OpenSSL 1.1.1c  R                      -                  TLS 1.3               TLS_AES_256_GCM_SHA384   ECDH x25519  FS
Safari 5.1.9 / OS X 10.6.8             RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 6 / iOS 6.0.1                   RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 6.0.4 / OS X 10.8.4  R          RSA 2048 (SHA256)  TLS 1.0               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / iOS 7.1  R                  RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 7 / OS X 10.9  R                RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / iOS 8.4  R                  RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 8 / OS X 10.10  R               RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   ECDH secp256r1  FS
Safari 9 / iOS 9  R                    RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 9 / OS X 10.11  R               RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / iOS 10  R                  RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 10 / OS X 10.12  R              RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Safari 12.1.2 / MacOS 10.14.6 Beta  R  -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Safari 12.1.1 / iOS 12.3.1  R          -                  TLS 1.3               TLS_CHACHA20_POLY1305_SHA256   ECDH x25519  FS
Apple ATS 9 / iOS 9  R                 RSA 2048 (SHA256)  TLS 1.2 > h2          TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Yahoo Slurp Jan 2015                   RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
YandexBot Jan 2015                     RSA 2048 (SHA256)  TLS 1.2               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ECDH secp256r1  FS
Not simulated clients (Protocol mismatch)
IE 6 / XP   No FS 1   No SNI 2  Protocol mismatch (not simulated)
(1) Clients that do not support Forward Secrecy (FS) are excluded when determining support for it.
(2) No support for virtual SSL hosting (SNI). Connects to the default site if the server uses SNI.
(3) Only first connection attempt simulated. Browsers sometimes retry with a lower protocol version.
(R) Denotes a reference browser or client, with which we expect better effective security.
(All) We use defaults, but some platforms do not use their best protocols and features (e.g., Java 6 & 7, older IE).
(All) Certificate trust is not checked in handshake simulation, we only perform TLS handshake.

What minimum versions of operating systems and browsers are compatible with Google-managed SSL certificates?

3 Answers3

Not simulated clients (Protocol mismatch)