PSA: HOW TO DISTRUST A ROOT CERTIFICATE

Let's say something prompted you to no longer trust a certain Certificate Authority (CA) and you wanted to make sure your OS stops trusting certificates issued by them as well. You could say it was linked to a recent Internet blunder, but I couldn't possibly comment.

Before going further, be mindful of the changes you make, as they might break the functionality of applications and impact your browsing experience! Make backups before removing anything as you're on your own if you can't fix it afterwards!

So here's how to do it for the OSs and apps that I normally use:

  • Debian/Ubuntu
    • Edit /etc/ca-certificates.conf as root
    • Flag the entry and mark it for removal (prepend ! to it)
    • Run sudo update-ca-certificates
  • Android
    • Settings -> Security -> Trusted credentials
    • Find what you're looking for and then Disable
  • Windows
    • Open the Certificate Manager (Start -> Run -> certmgr.msc).
  • Mozilla (Firefox, Thunderbird)
    • Source
    • Preferences -> Advanced -> Certificates -> Authorities
    • Important: If you change the trust bits of a root certificate, that change will be permanent (can only be changed again by you) and will not be affected by upgrading to newer versions of the software.
  • Chrome / Chromium
    • Options -> Show advanced settings... -> Manage certificates -> Authorities
    • Select a CA and adjust trust level accordingly
  • Evolution
    • Edit -> Preferences -> Certificates -> Authorities

As far as I can tell from a few quick searches, it's not really possible on iPhone/iPad without jailbreaking them and it's something that Apple can do via system updates. On OSX, Google is your friend. I don't own any Apple devices, so I won't reference anything I can't test myself.

And, as always, thanks for reading.


comments powered by Disqus