How to Remove a Certificate Authority’s Certificate from a System

certificates

The ca-certificates package was just updated, and it caused the following changes on my Xubuntu 13.10 system:

Running hooks in /etc/ca-certificates/update.d....
Adding debian:CA_Disig_Root_R1.pem
Adding debian:CA_Disig_Root_R2.pem
Adding debian:China_Internet_Network_Information_Center_EV_Certificates_Root.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_2009.pem
Adding debian:D-TRUST_Root_Class_3_CA_2_EV_2009.pem
Adding debian:PSCProcert.pem
Adding debian:StartCom_Certification_Authority_2.pem
Adding debian:Swisscom_Root_CA_2.pem
Adding debian:Swisscom_Root_EV_CA_2.pem
Adding debian:TURKTRUST_Certificate_Services_Provider_Root_2007.pem
Adding debian:Verisign_Class_3_Public_Primary_Certification_Authority_2.pem
Removing debian:cacert.org_class3.pem
Removing debian:cacert.org_root.pem
Removing debian:Equifax_Secure_eBusiness_CA_2.pem
Removing debian:TC_TrustCenter_Universal_CA_III.pem

I've decided I don't trust some of these CAs, and I would like to remove their certificates. How do I do that?

Best Answer

Run

sudo dpkg-reconfigure ca-certificates

That should give you a list where you can deselect CAs.

The list of CAs is stored in the file /etc/ca-certificates.conf. If you edit this file manually you need to run

sudo update-ca-certificates

to update the actual certificates in /etc/ssl/certs/ (if you use dpkg-reconfigure that is done automatically).

See /usr/share/doc/ca-certificates/README.Debian for more information.

Installing a root/CA Certificate

Given a CA certificate file foo.crt, follow these steps to install it on Ubuntu:

Create a directory for extra CA certificates in /usr/share/ca-certificates:
```
sudo mkdir /usr/share/ca-certificates/extra
```

Copy the CA .crt file to this directory:

sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crt

Let Ubuntu add the .crt file's path relative to /usr/share/ca-certificates to /etc/ca-certificates.conf:
```
sudo dpkg-reconfigure ca-certificates
```
To do this non-interactively, run:
```
sudo update-ca-certificates
```

In case of a .pem file on Ubuntu, it must first be converted to a .crt file:

openssl x509 -in foo.pem -inform PEM -out foo.crt

Ubuntu – Add certificate authorities system-wide on Firefox

The problem here is that Firefox does not have a 'central' location where it looks for certificates. It just looks into the current profile. That's why modifying /usr/share/ca-certificates or other similar directories won't work with Firefox. This is something that has been requested for years; see issues 620373, 449498 and 454036 (and probably there are many others).

So you are left with just two kind of solutions: either modify each profile, or modify the behaviour of Firefox. I know this is not what you are looking for, but there are no ways because Firefox only looks at users' profiles.

Having said that, the solution I would choose is using hard or symbolic links, specifically I'd go with hardlinks. This solution is surely the easiest and probably the better, though I don't have enough information to judge.

What you have to do is basically removing each cert8.db and key3.db files for each profile and replace them with links to the "most complete" cert8.db and key3.db. If you go with hardlinks, the original cert8.db and key3.db will be indistinguishable from the new ones.

Remember to adjust permissions to fit your needs. Most likely, you will need to chmod a+rw so that everybody will be able to add/remove a certificate. If you want only certain users to be able to add/remove certificates, you can create a group, assign the two databases to that group and give +w permission just to the group.

Best Answer

Related Solutions

Install Root Certificate – How to Install a Root Certificate

Installing a root/CA Certificate

Ubuntu – Add certificate authorities system-wide on Firefox

Related Question