Linux
如何刪除根 CA 證書?
我正在嘗試刪除根 CA 證書,但Red Hat 8
trust anchor --remove
官方文件中指定的命令給出了只讀錯誤。sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert" (p11-kit:2482) remove_all: removing certificate: 19 p11-kit: couldn't remove read-only certificate
文件中沒有關於此的內容。
我在文件中也找不到任何翻拍。但是,該命令似乎
trust
將手動添加到系統範圍信任儲存的證書視為只讀證書,並且不支持刪除這些證書。您要刪除的證書可能是手動複製或通過腳本複製到目錄
/etc/pki/ca-trust/source/anchors/
或/etc/pki/ca-trust/source/
(/etc/ca-certificates/trust-source/
在 Arch Linux 上)。您仍然可以手動刪除它:sudo rm /etc/ca-certificates/trust-source/example.pem
您需要
update-ca-trust
稍後執行以應用更改:sudo /usr/bin/update-ca-trust # test if CA certificate is not trusted anymore: curl -sv https://example.com
有關該命令的更多資訊,請參見手冊頁update-ca-trust(8)。
此行為不同於通過
trust
命令添加的證書。這些證書.p11-kit
在系統範圍的信任儲存中具有副檔名,並且格式與導入的 PEM 文件不同:# This file has been auto-generated and written by p11-kit. Changes will be # unceremoniously overwritten. [...] [p11-kit-object-v1] [...]
刪除/黑名單 Mozilla CA / nss-trust 證書
Mozilla CA / nss-trust 證書頒發機構的刪除/不信任也因
trust
命令而失敗(至少在 Arch Linux 上):$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert (p11-kit:10401) remove_all: removing certificate: 103 p11-kit: couldn't remove read-only certificate (p11-kit:10401) remove_all: removing x-trust-assertion: 460 p11-kit: couldn't remove read-only x-trust-assertion (p11-kit:10401) remove_all: removing nss-trust: 461 p11-kit: couldn't remove read-only nss-trust p11-kit: 3 errors while processing
如果您想不信任此列表中的證書頒發機構,可以將證書複製到黑名單目錄:
sudo cp /etc/pki/ca-trust/extracted/cadir/DST_Root_CA_X3.pem /etc/pki/ca-trust/source/blacklist # or on Arch Linux: sudo cp /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem /etc/ca-certificates/trust-source/blacklist # apply the changes: sudo /usr/bin/update-ca-trust
在此範例中,Let’s Encrypt 的根 CA 不受信任。您可以測試
curl
黑名單是否成功:curl -sv https://serverfault.com