"update-ca-trust" to Distrust CA Certificate

PKI Certificate Tutorials - Herong's Tutorial Examples

∟update-ca-trust Command on Red Hat Computers

∟"update-ca-trust" to Distrust CA Certificate

This section provides a tutorial example on removing user added CA certificates from Trust Store using the 'update-ca-trust' command on Red Hat-based computers.

If you want to disable (distrust or blacklist) a CA certificate installed by the system using the "update-ca-trust" command, you should follow these steps:

1. Identify the CA certificate you want to disable using the "trust list" command.

 
herong$ trust list | grep -B 3 -A 3 "Amazon Root CA 4"

pkcs11:id=%D3%EC%C7%3A%65%6E%CC%E1%DA%76%9A%56%FB%9C%F3%86%6D%57%E5%81;type=cert
    type: certificate
    label: Amazon Root CA 4
    trust: anchor
    category: authority

2. Export the CA certificate in PEM format.

 
herong$ trust extract \
  --filter="pkcs11:id=%D3%EC%C7%3A%65%6E%CC%E1%DA%76%9A%56%FB%9C%F3%86%6D%57%E5%81;type=cert" \
  --format=pem-bundle --overwrite Amazon-Root-CA-4.crt

3. Place the CA certificate the blacklist sub-directory:

 
herong$ sudo cp Amazon-Root-CA-4.crt /etc/pki/ca-trust/source/blacklist/

4. Run the "update-ca-trust" command to scan those 6 input directories and update the Trust Store.

 
herong$ sudo update-ca-trust

5. Verify the PEM bundle file in the Trust Store:

herong$ more Amazon-Root-CA-4.crt

-----BEGIN CERTIFICATE-----
MIIB8jCCAXigAwIBAgITBmyf18G7EEwpQ+Vxe3ssyBrBDjAKBggqhkjOPQQDAzA5
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6b24g
Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG
...

herong$ grep \
  'Um9vdCBDQSA0MB4XDTE1MDUyNjAwMDAwMFoXDTQwMDUyNjAwMDAwMFowOTELMAkG' \
  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

  (no matches)