Remove unwanted certificate in local Firefox user profile
Sure thing, I will copy the answer... To remove a unwanted root CA from your personal Firefox certificate store, you have to install libnss3-tools and remove the unwanted root CA via certutil
$ sudo apt install libnss3-tools --yes
$ certutil -D -d ~/.mozilla/firefox/{profile}/ -n "{CA nickname}"
However I want to focus on the much more generic, user agnostic and system wide solution.
Use system wide certificate store for all Firefox users (and remove un-trusted root CA for everyone)
By default, Firefox uses its own certificate store, which contains hard-coded root CAs. On the first start, these certificates are copied into the users Firefox profile. For these builtin certificates a PKCS-11 module is used:
These build in PKCS-11 module can be changed by replacing the Firefox libnssckbi.so library with the p11-kit library.
$ sudo apt install p11-kit --yes
$ sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.backup
$ sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so /usr/lib/firefox/libnssckbi.so
$ sudo dpkg-divert --package firefox --add --rename \
--divert /usr/lib/firefox/libnssckbi.so.backup /usr/lib/firefox/libnssckbi.so
In short:
- Install
p11-kit package
- Move default
PKCS-11 device library from libnssckbi.so to libnssckbi.so.backup
- Create link to
p11-kit library for libnssckbi.so
- Register package diversion, to avoid link replacement, when Firefox receives an update
After these steps restart Firefox and checkout the PKCS-11 module and the registered root CAs:
If the trusted root CAs are modified by sudo dpkg-reconfigure ca-certificates, all Firefox instances will be affected immediately.
