A question came up on ask.fedoraproject.org regarding the recent CCNIC debacle and Google’s decision to distrust their Root CA given their recent misbehavior. The user wanted to know how to blacklist the CCNIC Root CA, himself, for all software running on his Fedora operating system. I have cross-posted my answer below:
Since Fedora 19, the operating system employs a feature called SharedSystemCertificates to provide a centralized certificate store for applications to reference when trusting or distrusting certificates. I’m not sure what percentage of Fedora applications actually pay attention to this feature, but it seems to be high. A test with Firefox proves that it pays attention, at least. Unfortunately, software can choose how to handle certificates, so without Fedora enforcing the feature as a requirement for the operating system (not going to happen), you’ll have to be diligent.
Nonetheless, the procedure for blacklisting CCNIC’s root CA is pretty simple:
- Just to observe the effect of this process, you may wish to first test that the offending certificate is trusted in your application (example: use Firefox to browse to https://www.cnnic.net.cn/ and use the icon next to the URL of the site to gain “More Information” and then, under the “Security” section, “View Certificate” to note that the certificate is reported as verified)
- Obtain the CCNIC root certificate (along with an SSL certificate issued thereby and a ccnic.cn site certificate issued through the SSL certificate):
< /dev/null openssl s_client -showcerts -connect www1.cnnic.cn:https > ccnic
- Place the certificate chain to be blacklisted in the appropriate directory:
sudo mv ccnic /usr/share/pki/ca-trust-source/blacklist/
- Update the SharedSystemCertificates:
sudo update-ca-trust extract
- Restart your application (Firefox) and navigate to https://www.cnnic.net.cn/ to prove that it now distrusts the certificate. Checking the certificate information should result in a window which explicitly informs you: “Could not verify this certificate because it is not trusted.”
The SharedSystemCertificates feature is really easy to manage, and I hope its adoption is widespread (I did verify that Chrome appears to recognize this change, as well). Check out the man page for update-ca-trust and you’ll see the simple feature structure which manages certificate trust based on the location of the certificate file, which can be in a few formats, when the update-ca-trust extract command is executed.