6

I want to disable CAs that are under control of a country that's waging war against mine, how can I do it? I see one right away. The question still stands even if you are convinced there are none, it's not about whether there are matching CAs.

sudo dpkg-reconfigure ca-certificates

Doesn't show the Yandex CA that's listed on about:certificate page in Firefox and there is no way do disable it there, unfortunately. It was issued by Unizeto Technologies S.A., Poland and this one is listed in the ca-certificates list.

int_ua
  • 8,574
  • 1
    Are you certain the Yandex CA is in ca-certificates? It might be independently in the firefox cert store which is different from system ca-certificates and can only be managed within Firefox. Some details about where you are seeing the CA cert listed will help. – Thomas Ward Mar 10 '22 at 21:20
  • 7
    Reviewers and Flaggers: Regardless of the current geopolitical climate, this question is not offtopic, nor rude or abusive, nor "opinion based" and can be rewritten to "How do I disable a given CA cert system-wide". This does not require closing at this time. – Thomas Ward Mar 10 '22 at 21:24
  • 4
    Firefox has its own cert store independent of the system CAs. You have to remove/disable certs in the Firefox cert store from within firefox and its certificates panel in settings. – Thomas Ward Mar 10 '22 at 21:25
  • It's a bit late here and I don't see a way to disable it through Firefox, unfortunately. Thank you, I'll be back after resting for some time. – int_ua Mar 10 '22 at 21:38
  • There is a good answer to this questions here... So I would vote to close this, because it is a duplicate. – Simon Sudler Mar 10 '22 at 21:59
  • Does this answer your question? Add certificate authorities system-wide on Firefox – Simon Sudler Mar 10 '22 at 22:01
  • @SimonSudler almost, thank you. See the answer I've added, please copy it to close this question sooner. – int_ua Mar 11 '22 at 16:38

2 Answers2

2

The suggested question helped but answers there do not contain the relevant example:

sudo apt install libnss3-tools
certutil -D -d ~/.mozilla/firefox/{profile}/ -n "{CA nickname}"

Simon, can you please copy this answer with any modifications and I'll mark it as solved?

int_ua
  • 8,574
2

Remove unwanted certificate in local Firefox user profile

Sure thing, I will copy the answer... To remove a unwanted root CA from your personal Firefox certificate store, you have to install libnss3-tools and remove the unwanted root CA via certutil

$ sudo apt install libnss3-tools --yes
$ certutil -D -d ~/.mozilla/firefox/{profile}/ -n "{CA nickname}"

However I want to focus on the much more generic, user agnostic and system wide solution.

Use system wide certificate store for all Firefox users (and remove un-trusted root CA for everyone)

By default, Firefox uses its own certificate store, which contains hard-coded root CAs. On the first start, these certificates are copied into the users Firefox profile. For these builtin certificates a PKCS-11 module is used:

Firefox default PKCS-11

These build in PKCS-11 module can be changed by replacing the Firefox libnssckbi.so library with the p11-kit library.

$ sudo apt install p11-kit --yes
$ sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.backup
$ sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
$ sudo dpkg-divert --package firefox --add --rename \
  --divert /usr/lib/firefox/libnssckbi.so.backup /usr/lib/firefox/libnssckbi.so

In short:

  • Install p11-kit package
  • Move default PKCS-11 device library from libnssckbi.so to libnssckbi.so.backup
  • Create link to p11-kit library for libnssckbi.so
  • Register package diversion, to avoid link replacement, when Firefox receives an update

After these steps restart Firefox and checkout the PKCS-11 module and the registered root CAs:

p11-kit module

If the trusted root CAs are modified by sudo dpkg-reconfigure ca-certificates, all Firefox instances will be affected immediately.

Simon Sudler
  • 3,931
  • 3
  • 21
  • 34