How to remove a root CA certificate?

linux ssl-certificate centos redhat arch-linux

I am trying to delete a root CA certificate, but the trust anchor --remove command specified in the official Red Hat 8 documentation gives out a read-only error.

sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"

(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificate

There is nothing in the documentation about this.


I couldn't find any remakes in the documentation, too. However, it seems that the command trust treats certificates added manually to the system-wide trust store as read-only certificates and does not support the removal of these certificates.

The certificate you want to remove was probably copied manually or by a script into directory /etc/pki/ca-trust/source/anchors/ or /etc/pki/ca-trust/source/ (/etc/ca-certificates/trust-source/ on Arch Linux). You can still remove it manually:

sudo rm /etc/ca-certificates/trust-source/example.pem

You need to run update-ca-trust afterwards to apply the changes:

sudo /usr/bin/update-ca-trust
# test if CA certificate is not trusted anymore:
curl -sv https://example.com

See the man page update-ca-trust(8) for further information about the command.

This behavior is different from a certificate added via the trust command. These certificates have the extension .p11-kit in the system-wide trust store and also a different format than the imported PEM file:

# This file has been auto-generated and written by p11-kit. Changes will be
# unceremoniously overwritten.
[...]
[p11-kit-object-v1]
[...]

Removing/Blacklisting Mozilla CA / nss-trust Certificates

Removal/distrust of the Mozilla CA / nss-trust certificate authorities fail with the trust command, too (at least on Arch Linux):

$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert
(p11-kit:10401) remove_all: removing certificate: 103
p11-kit: couldn't remove read-only certificate
(p11-kit:10401) remove_all: removing x-trust-assertion: 460
p11-kit: couldn't remove read-only x-trust-assertion
(p11-kit:10401) remove_all: removing nss-trust: 461
p11-kit: couldn't remove read-only nss-trust
p11-kit: 3 errors while processing

If you want distrust a certificate authority from this list, you can copy the certificate to the blacklist directory:

sudo cp /etc/pki/ca-trust/extracted/cadir/DST_Root_CA_X3.pem /etc/pki/ca-trust/source/blacklist
# or on Arch Linux:
sudo cp /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem /etc/ca-certificates/trust-source/blacklist
# apply the changes:
sudo /usr/bin/update-ca-trust

In this example, Let's Encrypt's root CA is distrusted. You can test with curl if the blacklisting succeeded:

curl -sv https://serverfault.com

Related

Ansible, only disable existing users?
ZFS inside of virtual machine?
systemd's "predictable interface names" not being predictable
Win2k3: What files can be deleted from the System drive, and what tool to delete them?
What are some cool things you can do with SharePoint 2007?
How should applications be developed for easy deployment?
Default rsize and wsize for nfs v3
Unable to understand the benefit of Zsh's autopushd
How do I clone ZFS ACLs from one file to another?
What does a magic packet look like?
What could be causing MsiInstaller to continuously reconfigure applications(EventID 1035)?
What is the best way to configure a new ZFS server with lots of storage?