Deleting CAs From System-wide Trust-list
In our enterprise, one of the security lockdowns applied to Windows systems is the removal of all but a few, especially-trusted public CAs (along with adding internal CAs to the trust-list).
It's easy enough to add CAs to the host-wide trust-list, but I'm having a heck of a time finding adequate tutelage via Google. I'd tried using certutil to do it, but certutil keeps telling me that the bundle file generated by the update-ca-trust tool is in an unusable format.
Our systems auditors haven't come hunting, yet, for us to align the Red Hat systems' CA trusts with our Windows systems (probably because the verification tools in OpenSSL tend to suck - particularly when it comes to bundles). But, if they do come for my Red Hat systems, I want to have a easily scriptable fix ready to go.
Halp?
Responses
Hello
I am not very familiar with certutil, but from the man update-ca-trust page:
"/usr/share/pki/ca-trust-source/blacklist/ or
/etc/pki/ca-trust/source/blacklist/ you may install one or multiple certificates in either the DER
file format or in the PEM (BEGIN/END CERTIFICATE) file format."
Does that help?
Guru
6435 points
It might. I'll have to figure out how to individually export the offending CAs so they can then be dumped in the blacklist directory. If it works, it seems kind of a bass-ackwards way of having to do things, though. There should just be a CA-delete type of tool.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.