How do I remove many system roots from Apple System Keychain?

Solution 1:

Backup keychain before trying anything.

Listing root certificates:

sudo security dump-keychain /System/Library/Keychains/SystemRootCertificates.keychain

Just look in a dump for a names or SHA-1 hash values of certificates that you want to get rid of and write them down.

Now you can delete that root certificates using security delete-certificate command.

Usage: delete-certificate [-c name] [-Z hash] [-t] [keychain...]

-c  Specify certificate to delete by its common name
-Z  Specify certificate to delete by its SHA-1 hash value
-t  Also delete user trust settings for this certificate The certificate to be deleted must be uniquely specified either by a

string found in its common name, or by its SHA-1 hash. If no keychains are specified to search, the default search list is used.

For example you can delete chinese root certificates using this command:

sudo security delete-certificate -Z 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F /System/Library/Keychains/SystemRootCertificates.keychain

Solution 2:

Thank You! Worked for me with the -c option. Find the name of the root certificate in Keychain.app, then sudo security delete -c "CERTNAME" /System/Library/Keychains/SystemRootCertificates.keychain If you keep Keychain.app open with that certificate in view, you notice it immediately deletes when executing the command in terminal.