Remove all certificate authorities from a Firefox profile
Is there a way to remove all CA certificates in Firefox?
Firefox uses Mozilla's NSS libraries for security related features like TLS. NSS has it's own builtin CA store, which is used by Firefox to obtain the default CA certificates.
From Mozilla's FAQ:
The pre-loaded CA certificates are included in the following files:
- Windows: libnssckbi.dll
- Unix, Linux, and other *nix variants: libnssckbi.so
- Mac OS X: Contents/MacOS/libnssckbi.dynlib
Therefore it is not possible to remove all CA certificates as they are part of Firefox itself.
Is it possible to strip all CA certificates of all trust?
From Mozilla's FAQ:
If you don't trust a particular CA whose root certificate is included by default in Mozilla products, then there are two ways to disable the certificate.
- Turn off the trust bits for that root certificate.
- Delete the root certificate.
- Deleting a root certificate that is in the default root store is equivalent to turning off all of the trust bits for that root. Therefore, even though the root certificate will re-appear in the Certificate Manager, it will be treated as though you changed the trust bits of that root certificate to turn them all off.
Important: This change will have a permanent affect, such that the trust bits for the root certificate can only be changed again by you. This change will not be affected by upgrading to newer versions of Mozilla software. It is strongly recommended that you note which root certificate you modify, so that you can turn the trust bits back on if the change negatively impacts your browsing experience.
So to distrust all CA certificates:
- Goto
about:preferences#privacy - Click on
View Certificates...at the bottom of the page - Switch to the tab
Authorities - Select a certificate
- Click on
Delete or Distrust... - Confirm by clicking on
OK - Repeat steps 4-6 for every certificate
- Restart Firefox
After you restart Firefox you will see that all default certificates have reappeared.
Why do CA certificates keep reappearing after a restart of Firefox?
Default certificates cannot be removed and so Firefox only distrusts them which has the effect that they cannot be used to verify other certificates. You can select a CA certificate and click Edit Trust... to see that nothing is checked once you distrusted it.
A distrust has the same effect as deleting the certificate itself except that the certificate will still be shown in the Certificate Manager.
For more information: Changing Trust Settings
user1625837
Updated on September 18, 2022Comments
-
user1625837 over 1 year
Objective is to trust only certain certificates stored on the hard disk for that certain profile. Thus no certificate authorities are needed.
Tried without success:
- Delete all CAs using Certificate Manager (part of Firefox Preferences)
- Delete
cert9.dbin the profile - Clear
cert9.dbto 0 bytes and remove all permission flags so that Firefox may not change it
All three measures led to the CAs reappear (though not necessarily in
cert9.db, at least if I removed write permissions to that file; but still in Certificate Manager of Firefox).I wonder where the CAs come from. Does Firefox read them from the Internet if it misses them? I did not expect them to reappear at all.
How can I prevent that behavior?
-
user1625837 over 5 yearsWhy is this question downvoted? If you think it is the wrong community for suchlike questions, please let me know.
-
harrymc over 5 yearsStarting with Firefox 58, several data files have been changed.cert8.dbchanged tocert9.db,key3.dbchanged tokey4.dband others, with new formats. Firefox will fallback to the older versions if you remove the newer SQLite versions. Questions: (1) Is the Firefox installation new and clean? (2) Do you have these older files which might be where the CAs are coming from? -
user1625837 over 5 yearsThe installation of that special profile is new and contains exactly 2
dbfiles:cert9.dbandkey4.db. Because it is a special use case, I created a new profile. The installation of Firefox is controlled by theaptpackage manager. Initially it was installed one or more years ago but solely changed by updates because those files are not user-writable and I did never edit them withrootpermissions. -
harrymc over 5 yearsDoes it really happen if you distrust the CAs?
-
user1625837 over 5 yearsIt happens if I click "Delete or Distrust...". The list becomes completely empty. But is full again if I re-open Certificate Manager.
-
harrymc over 5 yearsQuestions: (1)Does it happen if you use Firefox with add-ons disabled by using the command
firefox -safe-mode? (2) What is your operating system? -
user1625837 over 5 yearsFollowing your suggestion I started Firefox through
firefox -safe-mode -P no-ca-profile. Beforehand I deletedcert9.db, but it immediately re-appeared after launching Firefox. Then I deleted the first two CAs in Certificate Manager (using "Delete or Distrust...") they disappeared from the list. After killing and restarting Firefox, both deleted CAs were on the list again. Operating system is Ubuntu. -
harrymc over 5 yearsJust to verify : You did all these operations in safe-mode?
-
user1625837 over 5 yearsAll operations in safe mode. However, there are no add-ons installed on my Firefox. Thus safe mode should not have any effect.
-
harrymc over 5 yearsIn Certificate Manager, have you also deleted the certificates in the Servers section?
-
user1625837 over 5 yearsI had two certificates in the Servers section. Deleted them, afterwards deleted all CAs, but still they all re-appeared (except for the two certificates in the Servers section).
-
harrymc over 5 yearsI give up. Well, at least we managed to kill two of them. To debug, you will probably need to trace the Internet requests of Firefox.
-
harrymc over 5 yearsOne last thought: Are these certificates coming from the operating system (and which is yours)?
-
Hastur over 5 yearsWhat about to make those files 0 bytes and deny the permission to write (or read)? Then you have eventually to manage the error...
:-)/dev/null/ thinking... (under linux to link them to/dev/null...). -
Hastur over 5 yearsGive it a look in
about:config. Start filtering withcert. There are some options that can force what you are describing... maybe the defaultservices.sync.prefs.sync.security.default_personal_cert;trueshould be better false... and others... have a nice hunt... (Just to honor my name I preferred the above solution...). Ps> let me know.
