she*_*ale 7 linux redhat centos arch-linux ssl-certificate
我正在尝试删除根 CA 证书,但trust anchor --remove官方Red Hat 8 文档中指定的命令给出了只读错误。
sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"
(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificate
文档中没有任何关于此的内容。
小智 11
我在文档中也找不到任何重制的内容。但是,该命令似乎trust将手动添加到系统范围信任存储中的证书视为只读证书,并且不支持删除这些证书。
您要删除的证书可能是手动复制的或通过脚本复制到目录/etc/pki/ca-trust/source/anchors/或/etc/pki/ca-trust/source/(/etc/ca-certificates/trust-source/在 Arch Linux 上)。您仍然可以手动删除它:
sudo rm /etc/ca-certificates/trust-source/example.pem
您需要update-ca-trust随后运行才能应用更改:
sudo /usr/bin/update-ca-trust
# test if CA certificate is not trusted anymore:
curl -sv https://example.com
有关该命令的更多信息,请参阅手册页update-ca-trust(8) 。
此行为与通过命令添加的证书不同trust。.p11-kit这些证书在系统范围的信任存储中具有扩展名,并且格式也与导入的 PEM 文件不同:
# This file has been auto-generated and written by p11-kit. Changes will be
# unceremoniously overwritten.
[...]
[p11-kit-object-v1]
[...]
删除 Mozilla CA / nss-trust 证书/将其列入黑名单
使用该命令删除/不信任 Mozilla CA / nss-trust 证书颁发机构trust也会失败(至少在 Arch Linux 上):
$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert
(p11-kit:10401) remove_all: removing certificate: 103
p11-kit: couldn't remove read-only certificate
(p11-kit:10401) remove_all: removing x-trust-assertion: 460
p11-kit: couldn't remove read-only x-trust-assertion
(p11-kit:10401) remove_all: removing nss-trust: 461
p11-kit: couldn't remove read-only nss-trust
p11-kit: 3 errors while processing
如果您不想信任此列表中的证书颁发机构,可以将证书复制到黑名单目录中:
# This file has been auto-generated and written by p11-kit. Changes will be
# unceremoniously overwritten.
[...]
[p11-kit-object-v1]
[...]
在此示例中,Let's Encrypt 的根 CA 不受信任。您可以测试curl黑名单是否成功:
$ sudo trust anchor --remove --verbose pkcs11:id=%C4%A7%B1%A4%7B%2C%71%FA%DB%E1%4B%90%75%FF%C4%15%60%85%89%10;type=cert
(p11-kit:10401) remove_all: removing certificate: 103
p11-kit: couldn't remove read-only certificate
(p11-kit:10401) remove_all: removing x-trust-assertion: 460
p11-kit: couldn't remove read-only x-trust-assertion
(p11-kit:10401) remove_all: removing nss-trust: 461
p11-kit: couldn't remove read-only nss-trust
p11-kit: 3 errors while processing