我正在尝试删除根 CA 证书,但trust anchor --remove官方指定的命令Red Hat 8 文档给出只读错误。
sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"
(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificate
文档中没有关于此事的任何内容。
答案1
我在文档中也找不到任何重制版。不过,该命令似乎trust将手动添加到系统范围的信任存储作为只读证书并且不支持删除这些证书。
您要删除的证书可能是手动或通过脚本复制到目录/etc/pki/ca-trust/source/anchors/或/etc/pki/ca-trust/source/(/etc/ca-certificates/trust-source/在 Arch Linux 上)。您仍然可以手动删除它:
sudo rm /etc/ca-certificates/trust-source/example.pem
您需要update-ca-trust随后运行以应用更改:
sudo /usr/bin/update-ca-trust
# test if CA certificate is not trusted anymore:
curl -sv https://example.com
查看手册页更新 CA 信任 (8)了解有关该命令的更多信息。
此行为与通过命令添加的证书不同trust。这些证书在系统范围的信任存储中具有扩展名.p11-kit,并且格式与导入的 PEM 文件不同:
# This file has been auto-generated and written by p11-kit. Changes will be
# unceremoniously overwritten.
[...]
[p11-kit-object-v1]
[...]
删除或将 Mozilla CA / nss-trust 证书列入黑名单
使用该命令删除/不信任 Mozilla CA / nss-trust 证书颁发机构也会失败trust(至少在 Arch Linux 上):
$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert
(p11-kit:10401) remove_all: removing certificate: 103
p11-kit: couldn't remove read-only certificate
(p11-kit:10401) remove_all: removing x-trust-assertion: 460
p11-kit: couldn't remove read-only x-trust-assertion
(p11-kit:10401) remove_all: removing nss-trust: 461
p11-kit: couldn't remove read-only nss-trust
p11-kit: 3 errors while processing
如果您想要不信任此列表中的证书颁发机构,您可以将证书复制到黑名单目录:
sudo cp /etc/pki/ca-trust/extracted/cadir/DST_Root_CA_X3.pem /etc/pki/ca-trust/source/blacklist
# or on Arch Linux:
sudo cp /etc/ca-certificates/extracted/cadir/DST_Root_CA_X3.pem /etc/ca-certificates/trust-source/blacklist
# apply the changes:
sudo /usr/bin/update-ca-trust
在此示例中,Let's Encrypt 的根 CA 不受信任。您可以使用以下命令测试curl黑名单是否成功:
curl -sv https://serverfault.com