Google Trust Services provides alternate certificate chains. For a given leaf certificate, there may be multiple validation paths to root CAs/trust anchors.
This optional feature may be useful to sites that want to serve a shorter certificate chain or need to test root migrations. For those not explicitly using this feature, Google Trust Services will continue providing the chain that we believe is the best fit for standard use cases.
As an example, Google Trust Services may provide the following chains (the trust anchors between parentheses are not included in the certificate chains):
Leaf certificate ← WR1 ← GTS Root R1 (← GlobalSign Root CA)
This chain maximizes compatibility with legacy clients by including a GTS Root R1 cross-sign from GlobalSign Root CA. GlobalSign Root CA is one of the most tenured root CAs. It provides the highest compatibility for legacy clients and devices with infrequently updated trust stores.
Leaf certificate ← WR1 (← GTS Root R1)
This chain optimizes for performance by being shorter and thus requiring fewer bytes to be sent over the wire, and one less step in the chain validation process. Nearly all modern clients and devices include GTS Root R1 (and other GTS roots) in their trust store. Devices and clients older than 2018 may not be compatible without a trust store update.
During the ACME protocol certificate download step, additional URLs are reflected as extra link relation HTTP header fields as indicated in RFC 8555. ACME clients may choose to download these alternate chains using those URLs, selecting the chain that makes the most sense for their use case.