Remove all certificate authorities from a Firefox profile

Objective is to trust only certain certificates stored on the hard disk for that certain profile. Thus no certificate authorities are needed.

Tried without success:

  • Delete all CAs using Certificate Manager (part of Firefox Preferences)
  • Delete cert9.db in the profile
  • Clear cert9.db to 0 bytes and remove all permission flags so that Firefox may not change it

All three measures led to the CAs reappear (though not necessarily in cert9.db, at least if I removed write permissions to that file; but still in Certificate Manager of Firefox).

I wonder where the CAs come from. Does Firefox read them from the Internet if it misses them? I did not expect them to reappear at all.

How can I prevent that behavior?


Solution 1:

Is there a way to remove all CA certificates in Firefox?

Firefox uses Mozilla's NSS libraries for security related features like TLS. NSS has it's own builtin CA store, which is used by Firefox to obtain the default CA certificates.

From Mozilla's FAQ:

The pre-loaded CA certificates are included in the following files:

  • Windows: libnssckbi.dll
  • Unix, Linux, and other *nix variants: libnssckbi.so
  • Mac OS X: Contents/MacOS/libnssckbi.dynlib

Therefore it is not possible to remove all CA certificates as they are part of Firefox itself.

Is it possible to strip all CA certificates of all trust?

From Mozilla's FAQ:

If you don't trust a particular CA whose root certificate is included by default in Mozilla products, then there are two ways to disable the certificate.

  1. Turn off the trust bits for that root certificate.
  2. Delete the root certificate.
    • Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off.

Important: This change will have a permanent affect, such that the trust bits for the root certificate can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software. It is strongly recommended that you note which root certificate you modify, so that you can turn the trust bits back on if the change negatively impacts your browsing experience.

So to distrust all CA certificates:

  1. Goto about:preferences#privacy
  2. Click on View Certificates... at the bottom of the page
  3. Switch to the tab Authorities
  4. Select a certificate
  5. Click on Delete or Distrust...
  6. Confirm by clicking on OK
  7. Repeat steps 4-6 for every certificate
  8. Restart Firefox

After you restart Firefox you will see that all default certificates have reappeared.

Why do CA certificates keep reappearing after a restart of Firefox?

Default certificates cannot be removed and so Firefox only distrusts them which has the effect that they cannot be used to verify other certificates. You can select a CA certificate and click Edit Trust... to see that nothing is checked once you distrusted it.
A distrust has the same effect as deleting the certificate itself except that the certificate will still be shown in the Certificate Manager.

For more information: Changing Trust Settings