GAM Support for Google's WE1 Intermediate CA & ECDSA Transition

74 views
Skip to first unread message

Jay Lee

unread,
May 27, 2026, 8:05:08 AM (12 days ago) May 27
to google-ap...@googlegroups.com

tl;dr

Google recently notified administrators regarding an upcoming infrastructure change: the transition to using the WE1 Intermediate Certificate Authority (CA) and ECDSA (Elliptic Curve Digital Signature Algorithm) certificates.

Bottom Line: GAM fully supports the WE1 Intermediate CA and ECDSA out of the box. No action or configuration changes are required by GAM administrators.

Verify your GAM install is WE1-Ready

You can confirm your GAM installation already trusts WE1. While most Google domains haven't yet transitioned, Cloudflare has and currently utilizes the WE1 intermediate CA.

1. Confirming Cloudflare uses WE1

You can use OpenSSL to connect to Cloudflare, inspect the certificate chain and verify that it is issued by Google's WE1 certificate authority:

Linux/MacOS Bash
echo | openssl s_client -connect cloudflare.com:443 -servername cloudflare.com 2>/dev/null | openssl x509 -noout -issuer

Expected Output: issuer=C=US, O=Google Trust Services, CN=WE1

Windows Powershell
$tcp = New-Object System.Net.Sockets.TcpClient("cloudflare.com", 443)
$ssl = New-Object System.Net.Security.SslStream($tcp.GetStream())
$ssl.AuthenticateAsClient("cloudflare.com")
$ssl.RemoteCertificate.Issuer

Expected Output: CN=WE1, O=Google Trust Services, C=US

2. Test GAM against Cloudflare and WE1 CA

You can test GAM's ability to seamlessly communicate with a WE1-secured endpoint by having GAM fetch a Cloudflare URL and save it to Drive:

gam user admin create drivefile url https://cloudflare.com

Result: This command executes successfully. GAM establishes a secure connection, trusts the WE1 certificate, fetches the HTML, and saves it to Google Drive.

3. Show that GAM doesn't trust everyone

If you attempt to run the same command against another secure domain, you will encounter an SSL failure. For example:

gam user admin create drivefile url https://ssl.com

Result: This command will fail with a certificate verification error.

Why does this happen? This failure is not a bug, nor is it related to the WE1 transition. GAM operates using a minimal trust store. By default, GAM does not trust the entire global list of public CAs like a standard web browser does. Instead, to maximize security and efficiency, GAM strictly limits its trust store to the exact certificate authorities required to communicate with its essential endpoints: Google and GitHub.

How GAM Builds the certificate authority list it trusts

GAM's trusted certificate authority list is compiled explicitly from:

  1. pki.goog Roots: The minimal set of root certificates defined by Google Trust Services. This list doesn't actually include the WE1 intermediary but it includes "GTS Root R4" which has signed and trusted WE1 allowing the chain of trust to be built.

  2. Let's Encrypt: Included specifically because GitHub infrastructure (where GAM pulls updates and certain repository data) occasionally relies on Let's Encrypt certificates.

If you have followup questions or concerns, feel free to reply here or start a thread in the GAM Chat Space.

Jay

Reply all
Reply to author
Forward
0 new messages