Command Center

TL;DR

Google Trust Services (GTS) is Google's certificate authority. The Jun 15 date is a CA hierarchy change — they're rotating which intermediate certificates sign customer TLS certs, and consumers of Google services need to make sure their TLS trust store includes the new GTS roots.

Your stack uses Cloudflare-issued certs everywhere (madebyotten.com, madebyaspire.com, cc.madebyotten.com, vid.madebyotten.com, every Aspire client site). CF doesn't use GTS. So your customer-facing TLS isn't affected.

Where you DO touch GTS: outbound HTTPS calls to Google services (Gmail/Workspace, GCP APIs if any, GBP API, Google Maps, gts.googleapis.com). Modern OS / browser / curl / Node trust stores already include the new GTS roots. Action = none as long as your OS + tools are reasonably current.

What GTS is

Google operates its own certificate authority (Google Trust Services LLC). It issues TLS certs both for Google-owned domains AND for any GCP customer who uses Certificate Manager or App Engine managed SSL. GTS's root certs (GTS Root R1/R2/R3/R4) are baked into every mainstream OS and browser trust store as of ~2018.

The "Jun 15" change is a planned intermediate-CA rotation — they're moving customer-issued certs from one intermediate signer to another. End-entity certs are reissued automatically; what matters for clients is that the new intermediate chain validates.

Your exposure footprint

SurfaceCert issuerAffected?
madebyotten.com + subdomainsCloudflare Universal SSL❌ No
madebyaspire.com + client sitesCloudflare Universal SSL❌ No
cc.madebyotten.comCloudflare❌ No
aspiredigital.dev (M365 tenant)Microsoft (DigiCert)❌ No
Outbound: Gmail/Workspace APIValidates GTS chain⚠️ If old trust store
Outbound: GBP / Google Maps APIsValidates GTS chain⚠️ If old trust store
Outbound: gts.googleapis.com (transparency log)Validates GTS chain⚠️ If old trust store

What to actually do

  1. Nothing on the customer-facing side. Your CF cert chain is unaffected.
  2. Verify trust store currency on M3 + M4 + NAS: macOS Sequoia + Sonoma both already include GTS R1/R2/R3/R4 roots. security find-certificate -c "GTS Root R1" confirms it's installed. (Same for Hermes Docker containers if they pin their own CA bundle — most use the OS bundle.)
  3. If any service breaks Jun 15+: the symptom would be x509: certificate signed by unknown authority or similar TLS failures when calling Google APIs. Fix: update the CA bundle of the calling tool (curl, Node, Python certifi, etc.). Usually a one-liner.
  4. If you want belt-and-suspenders: on Jun 16, hit one Google API endpoint from each host and confirm 200. If any errors, update certifi (pip install --upgrade certifi) or system CA bundle and retest.

Most likely outcome

Jun 15 passes, nothing breaks. The "informational" tag on the original notice was right. The exposure is real but the trust-store coverage is also real — you'd have to be on a 3+ year out-of-date OS for it to bite you.