PKI Certificate Tutorials - Herong's Tutorial Examples - v1.13, by Herong Yang
"update-ca-certificates" to Disable CA Certificate
This section provides a tutorial example on how to use the update-ca-certificates Command to disable an existing root CA certificate in the trust store on Linux systems.
If you want to disable a root CA certificate in the ca-certificates trust store, you can also use the "update-ca-certificates" command provided in the "ca-certificates" package. Here are the steps you should follow:
1. Mark the root CA certificates as disabled with "!" in in the ca-certificates configuration /etc/ca-certificates.conf:
herong$ sudo vi /etc/ca-certificates.conf ... mozilla/UCA_Global_G2_Root.crt mozilla/vTrus_ECC_Root_CA.crt mozilla/vTrus_Root_CA.crt !ZZ-Root-CA.crt
2. Run "update-ca-certificates" command to update the ca-certificates trust store:
herong$ sudo update-ca-certificates sudo update-ca-certificates Updating certificates in /etc/ssl/certs... rehash: warning: skipping ca-certificates.crt, it does not contain exactly one certificate or CRL 0 added, 1 removed; done. Running hooks in /etc/ca-certificates/update.d... Removing debian:ZZ-Root-CA.pem done. Updating Mono key store Linux Cert Store Sync - version 4.6.2.0 Synchronize local certs with certs from local Linux trust store. I already trust 137, your new list has 137 Import process completed. done.
3. Verify the ca-certificates PEM store:
herong$ more ZZ-Root-CA.pem -----BEGIN CERTIFICATE----- MIIB+zCCAYKgAwIBAgIJAIZgMcdaWuMDMAkGByqGSM49BAEwIjELMAkGA1UEBhMC WloxEzARBgNVBAMTClpaIFJvb3QgQ0EwHhcNMjQxMTI0MTMwNzA4WhcNMjQxMjI0 MTMwNzA4WjAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMKWlogUm9vdCBDQTB2MBAG ... herong$ grep \ 'MTMwNzA4WjAiMQswCQYDVQQGEwJaWjETMBEGA1UEAxMKWlogUm9vdCBDQTB2MBAG' \ /etc/ssl/certs/ca-certificates.crt (no matches) herong$ ls -l /etc/ssl/certs/ | grep ZZ (no matches)
4. Verify the ca-certificates JKS store:
herong$ keytool -list -keystore /etc/ssl/certs/java/cacerts \ -storepass changeit | grep zz Warning: use -cacerts option to access cacerts keystore (no matches)
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
PKCS12 Certificate Bundle File
Linux Trust Store for CA Certificates
►ca-certificates - Linux CA Certificate Package
What Is ca-certificates Package
What Is ca-certificates-java Package
What Is ca-certificates-mono Package
"update-ca-certificates" to Add CA Certificate
►"update-ca-certificates" to Disable CA Certificate
"update-ca-certificates" vs "trust" on Debian/Ubuntu Computers
update-ca-trust Command on Red Hat Computers