Updating pki certs to remove unwanted mozilla certs

Sometimes it is a good security practice to remove unneeded ca certiticates from the base system and applications such as firefox and thunderbird.

For starters you can verify for presence of FooVadis certs this way on Rocky Linux 9.2 :
$ trust list --filter=ca-anchors | grep FooVadis -i -A 2 -B 3

Then update source ca-bundle file with text editor as root:
$ sudo nvim /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit

Dont forget running update-ca-trust at this point…
$ sudo update-ca-trust

To verify your changes, just run trust list again :
$ trust list --filter=ca-anchors | grep ...


1 Like

This is an bad idea, because there exist an official way to do this.
Simple copy the ca block to /etc/pki/ca-trust/source/blacklist (as pem file)
Than call update-ca-trust.
This will be update safe, and will work with java, gnutls, nss , and openssl based apps.

1 Like

Hi mate,

i followed the documentation in update-ca-trust man page… Note that
the ca block on Rocky Linux 9.2 is located in /etc/pki/ca-trust/extracted and must not be edited manually because it is being autogenerated !