I am trying to delete a root CA certificate, but the trust anchor --remove command specified in the official Red Hat 8 documentation gives out a read-only error.

sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"

(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificate

There is nothing in the documentation about this.


I couldn't find any remakes in the documentation, too. However, it seems that the command trust treats certificates added manually to the system-wide trust store as read-only certificates and does not support the removal of these certificates.

The certificate you want to remove was probably copied manually or by a script into directory /etc/pki/ca-trust/source/anchors/ or /etc/pki/ca-trust/source/ (/etc/ca-certificates/trust-source/ on Arch Linux). You can still remove it manually:

sudo rm /etc/ca-certificates/trust-source/example.pem

You need to run update-ca-trust afterwards to apply the changes:

sudo /usr/bin/update-ca-trust
# test if CA certificate is not trusted anymore:
curl -sv https://example.com

See the man page update-ca-trust(8) for further information about the command.

This behavior is different from a certificate added via the trust command. These certificates have the extension .p11-kit in the system-wide trust store and also a different format than the imported PEM file:

# This file has been auto-generated and written by p11-kit. Changes will be
# unceremoniously overwritten.
[...]
[p11-kit-object-v1]
[...]

Removing/Blacklisting Mozilla CA / nss-trust Certificates

Removal/distrust of the Mozilla CA / nss-trust certificate authorities fail with the trust command, too (at least on Arch Linux):

$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert
(p11-kit:10401) remove_all: removing certificate: 103
p11-kit: couldn't remove read-only certificate
(p11-kit:10401) remove_all: removing x-trust-assertion: 460
p11-kit: couldn't remove read-only x-trust-assertion
(p11-kit:10401) remove_all: removing nss-trust: 461
p11-kit: couldn't remove read-only nss-trust
p11-kit: 3 errors while processing

If you want distrust a certificate authority from this list, you can copy the certificate to the blacklist directory:

sudo cp /etc/pki/ca-trust/extracted/cadir/DST_Root_CA_X3.pem /etc/pki/ca-trust/source/blacklist
# or on Arch Linux:
sudo cp /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem /etc/ca-certificates/trust-source/blacklist
# apply the changes:
sudo /usr/bin/update-ca-trust

In this example, Let's Encrypt's root CA is distrusted. You can test with curl if the blacklisting succeeded:

curl -sv https://serverfault.com