Linux

如何刪除根 CA 證書?

  • January 7, 2021

我正在嘗試刪除根 CA 證書,但Red Hat 8trust anchor --remove官方文件中指定的命令給出了只讀錯誤。

sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"

(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificate

文件中沒有關於此的內容。

我在文件中也找不到任何翻拍。但是,該命令似乎trust將手動添加到系統範圍信任儲存的證書視為只讀證書,並且不支持刪除這些證書。

您要刪除的證書可能是手動複製或通過腳本複製到目錄/etc/pki/ca-trust/source/anchors//etc/pki/ca-trust/source//etc/ca-certificates/trust-source/在 Arch Linux 上)。您仍然可以手動刪除它:

sudo rm /etc/ca-certificates/trust-source/example.pem

您需要update-ca-trust稍後執行以應用更改:

sudo /usr/bin/update-ca-trust
# test if CA certificate is not trusted anymore:
curl -sv https://example.com

有關該命令的更多資訊,請參見手冊頁update-ca-trust(8)

此行為不同於通過trust命令添加的證書。這些證書.p11-kit在系統範圍的信任儲存中具有副檔名,並且格式與導入的 PEM 文件不同:

# This file has been auto-generated and written by p11-kit. Changes will be
# unceremoniously overwritten.
[...]
[p11-kit-object-v1]
[...]

刪除/黑名單 Mozilla CA / nss-trust 證書

Mozilla CA / nss-trust 證書頒發機構的刪除/不信任也因trust命令而失敗(至少在 Arch Linux 上):

$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert
(p11-kit:10401) remove_all: removing certificate: 103
p11-kit: couldn't remove read-only certificate
(p11-kit:10401) remove_all: removing x-trust-assertion: 460
p11-kit: couldn't remove read-only x-trust-assertion
(p11-kit:10401) remove_all: removing nss-trust: 461
p11-kit: couldn't remove read-only nss-trust
p11-kit: 3 errors while processing

如果您想不信任此列表中的證書頒發機構,可以將證書複製到黑名單目錄:

sudo cp /etc/pki/ca-trust/extracted/cadir/DST_Root_CA_X3.pem /etc/pki/ca-trust/source/blacklist
# or on Arch Linux:
sudo cp /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem /etc/ca-certificates/trust-source/blacklist
# apply the changes:
sudo /usr/bin/update-ca-trust

在此範例中,Let’s Encrypt 的根 CA 不受信任。您可以測試curl黑名單是否成功:

curl -sv https://serverfault.com

引用自:https://serverfault.com/questions/1025749