How do I remove many system roots from Apple System Keychain?
Solution 1:
Backup keychain before trying anything.
Listing root certificates:
sudo security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain
Just look in a dump for a names or SHA-1 hash values of certificates that you want to get rid of and write them down.
Now you can delete that root certificates using security delete-certificate
command.
Usage: delete-certificate [-c name] [-Z hash] [-t] [keychain...]
-c Specify certificate to delete by its common name -Z Specify certificate to delete by its SHA-1 hash value -t Also delete user trust settings for this certificate The certificate to be deleted must be uniquely specified either by a
string found in its common name, or by its SHA-1 hash. If no keychains are specified to search, the default search list is used.
For example you can delete chinese root certificates using this command:
sudo security delete-certificate -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain
Solution 2:
Thank You! Worked for me with the -c option. Find the name of the root certificate in Keychain.app, then sudo security delete -c "CERTNAME" /System/Library/Keychains/SystemRootCertificates.keychain
If you keep Keychain.app open with that certificate in view, you notice it immediately deletes when executing the command in terminal.