How to remove a root CA certificate?
I am trying to delete a root CA certificate, but the trust anchor --remove
command specified in the official Red Hat 8 documentation gives out a read-only error.
sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"
(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificate
There is nothing in the documentation about this.
I couldn't find any remakes in the documentation, too. However, it seems that the command trust
treats certificates added manually to the system-wide trust store as read-only certificates and does not support the removal of these certificates.
The certificate you want to remove was probably copied manually or by a script into directory /etc/pki/ca-trust/source/anchors/
or /etc/pki/ca-trust/source/
(/etc/ca-certificates/trust-source/
on Arch Linux). You can still remove it manually:
sudo rm /etc/ca-certificates/trust-source/example.pem
You need to run update-ca-trust
afterwards to apply the changes:
sudo /usr/bin/update-ca-trust
# test if CA certificate is not trusted anymore:
curl -sv https://example.com
See the man page update-ca-trust(8) for further information about the command.
This behavior is different from a certificate added via the trust
command. These certificates have the extension .p11-kit
in the system-wide trust store and also a different format than the imported PEM file:
# This file has been auto-generated and written by p11-kit. Changes will be
# unceremoniously overwritten.
[...]
[p11-kit-object-v1]
[...]
Removing/Blacklisting Mozilla CA / nss-trust Certificates
Removal/distrust of the Mozilla CA / nss-trust certificate authorities fail with the trust
command, too (at least on Arch Linux):
$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert
(p11-kit:10401) remove_all: removing certificate: 103
p11-kit: couldn't remove read-only certificate
(p11-kit:10401) remove_all: removing x-trust-assertion: 460
p11-kit: couldn't remove read-only x-trust-assertion
(p11-kit:10401) remove_all: removing nss-trust: 461
p11-kit: couldn't remove read-only nss-trust
p11-kit: 3 errors while processing
If you want distrust a certificate authority from this list, you can copy the certificate to the blacklist directory:
sudo cp /etc/pki/ca-trust/extracted/cadir/DST_Root_CA_X3.pem /etc/pki/ca-trust/source/blacklist
# or on Arch Linux:
sudo cp /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem /etc/ca-certificates/trust-source/blacklist
# apply the changes:
sudo /usr/bin/update-ca-trust
In this example, Let's Encrypt's root CA is distrusted. You can test with curl
if the blacklisting succeeded:
curl -sv https://serverfault.com