1. Bern University of Applied Sciences
  2. APC Project
  3. Statisitics
  4. Certificate Hierarchy

Certificate Hierarchy

The certificate chains are generated from all signed messages we received.

The root certificates of Pixel devices have always the subject name serialNumber=f92009e853b6b045. However there are 4 different legitimate Google Hardware Attestation Root certificates with that name. Otherwise the attestation chain differs depending on your device version and or keystore used. Note that each device can choose any of the 2 keystores "Strongbox" and "TEE".

Certificate Chains

In total we received unique certificate chains.

On Pixel 7 devices we expect a certificate chain of 5 certificates. Note that there is a 1:1 relationship between the certificates of level 3 and level 4.

All level 2 certificates have the subject name O=Google LLC, CN=Droid CA2. All level 3 certificates have the subject name O=Google LLC, CN=Droid CA3. It is interesting to note, that the lifetime of the level 3 and 4 intermediate certificates is with about 1 month very short - in most cases shorter than the lifetime of the issued leaf certificates.

Pixel 3-6 devices have a certificate chain length of 4 certificates. Note, that there is a 1:1 relationship between the certificates of level 2 and level 3. The lifetime of the intermediate certificate seems to be always 10 years.