Updating pki certs to remove unwanted mozilla certs

smart · June 8, 2023, 2:30pm

Sometimes it is a good security practice to remove unneeded ca certiticates from the base system and applications such as firefox and thunderbird.

For starters you can verify for presence of FooVadis certs this way on Rocky Linux 9.2 :
$ trust list --filter=ca-anchors | grep FooVadis -i -A 2 -B 3

Then update source ca-bundle file with text editor as root:
$ sudo nvim /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit

Dont forget running update-ca-trust at this point…
$ sudo update-ca-trust

To verify your changes, just run trust list again :
$ trust list --filter=ca-anchors | grep ...

Cheers,
smart

mdcTUX · June 9, 2023, 4:46am

This is an bad idea, because there exist an official way to do this.
Simple copy the ca block to /etc/pki/ca-trust/source/blacklist (as pem file)
Than call update-ca-trust.
This will be update safe, and will work with java, gnutls, nss , and openssl based apps.

smart · June 9, 2023, 8:35am

Hi mate,

i followed the documentation in update-ca-trust man page… Note that
the ca block on Rocky Linux 9.2 is located in /etc/pki/ca-trust/extracted and must not be edited manually because it is being autogenerated !

Topic		Replies	Views
SSL Cert Location Rocky Linux General	12	8164	April 3, 2024
CA certificate ok in curl but nok in firefox or chrome Rocky Linux General	4	1642	August 25, 2023
Curl Panics unsafe legacy renegotiation disabled Rocky Linux General	4	12948	August 25, 2023
Curl 60 error when updating system Rocky Linux General	19	26880	August 25, 2023
Error do yum update Rocky Linux General	22	9789	August 25, 2023

Updating pki certs to remove unwanted mozilla certs

Related Topics