Question

2

Is it possible to disable a Certificate Authority system-wide or at least on Firefox?

rated 0 times [ 2] [ 0] / answers: 1 / hits: 664 / 2 Years ago, tue, april 19, 2022, 9:53:12

I want to disable CAs that are under control of a country that's waging war against mine, how can I do it? I see one right away. The question still stands even if you are convinced there are none, it's not about whether there are matching CAs.

sudo dpkg-reconfigure ca-certificates

Doesn't show the Yandex CA that's listed on about:certificate page in Firefox and there is no way do disable it there, unfortunately. It was issued by Unizeto Technologies S.A., Poland and this one is listed in the ca-certificates list.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

sharall

Add To Favorites

Follow

Total Points: 407

Total Questions: 127

Total Answers: 121

Location: Saint Helena

Member since Fri, Mar 26, 2021

3 Years ago

sharall questions

1 Wine not removed after running apt-get purge

Thu, Nov 3, 22, 20:19, 2 Years ago

1 Install and run Android apps on Ubuntu Touch via the Dalvik VM or via the Android Runtime?

Mon, Jan 17, 22, 23:24, 2 Years ago

1 Open a file based on its modification date

Thu, Jul 29, 21, 11:16, 3 Years ago

1 How to remove the time field in MATE notification bar?

Fri, May 20, 22, 02:31, 2 Years ago

1 How to add persistent IP routes in Ubuntu 20.04 server

Thu, Oct 7, 21, 15:56, 3 Years ago

View All

answered 2 Years ago mugustered · Accepted Answer

Remove unwanted certificate in local Firefox user profile

Sure thing, I will copy the answer... To remove a unwanted root CA from your personal Firefox certificate store, you have to install libnss3-tools and remove the unwanted root CA via certutil

$ sudo apt install libnss3-tools --yes

$ certutil -D -d ~/.mozilla/firefox/{profile}/ -n "{CA nickname}"

However I want to focus on the much more generic, user agnostic and system wide solution.

Use system wide certificate store for all Firefox users (and remove un-trusted root CA for everyone)

By default, Firefox uses its own certificate store, which contains hard-coded root CAs. On the first start, these certificates are copied into the users Firefox profile. For these builtin certificates a PKCS-11 module is used:

These build in PKCS-11 module can be changed by replacing the Firefox libnssckbi.so library with the p11-kit library.

$ sudo apt install p11-kit --yes

$ sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.backup

$ sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so

$ sudo dpkg-divert --package firefox --add --rename 

  --divert /usr/lib/firefox/libnssckbi.so.backup /usr/lib/firefox/libnssckbi.so

In short:

Install p11-kit package

Move default PKCS-11 device library from libnssckbi.so to libnssckbi.so.backup

Create link to p11-kit library for libnssckbi.so

Register package diversion, to avoid link replacement, when Firefox receives an update

After these steps restart Firefox and checkout the PKCS-11 module and the registered root CAs:

If the trusted root CAs are modified by sudo dpkg-reconfigure ca-certificates, all Firefox instances will be affected immediately.