How to permanently delete root CAs from mozilla products?
Craig White
craigwhite at azapple.com
Sat Sep 17 11:36:10 UTC 2011
On Sat, 2011-09-17 at 13:28 +0200, Christoph A. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> > I believe that as part of your login/usage of Firefox & Thunderbird, a
> > profile is created in ~/.mozilla (FF) and ~/.thunderbird (TB) and within
> > each of your profiles is a file cert8.db file which is a personalized
> > version of the certificate store relevant only to your profile. This is
> > what you are maintaining when you 'manage' certificates within FF/TB
> > Security settings.
>
> I thought so too till I noticed that my modifications in mozilla's
> "certificate manager" are non-persistent, but you are probably right.
>
> By "non-persistent" I mean the following:
> - - I remove a root CA in the "Authorities" tab of mozilla's "certificate
> manager" by hitting the delete button
> - - I close the certificate manager
> - - I reopen the certificate manager
> - - The - previously removed - root ca is again there.
> In general this procedure is described here:
> https://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
> (but I'm doing it with other root CAs)
> Why are modifications to mozilla's root certificate list non-persistent?
> How do I permanently delete a root CA from the trusted list?
>
> Update:
> Now while writing this email and doing some tests I realized that the CA
> is still listed but the trust flag is removed (you can see it if you
> click "Edit...").
> The problem with this is: I can't easily distinguish which CAs are
> trusted and which are not (I have to click "Edit..." on every CA to see
> the trust settings). It would be much easier to delete all but a few of
> them (according to my policy and needs). Is that possible?
----
I remember having to delete a certificate 2 times to actually physically
remove them - the first time sets it to untrusted and the second one
finally purges it but I think from a safe point of view, it is probably
better to only delete it 1 time to set it to non-trusted and leave it
there so there is no ambiguity - it is not to be trusted.
Yes, there is no easy way to distinguish trusted/non-trusted
certificates without actually viewing them.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the users
mailing list