Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Root Certificates

  • 6 replies
  • 1 has this problem
  • 15 views
  • Last reply by cor-el

more options

I want to delete all my web certs except for the top seven, which cover 99.32% of current web certs. I specifically do NOT want the EU Cyber Resilience Act to have the ability to insert their certs into my root store, enabling their member countries unfettered power to compel acceptance of their certs.

I tried following https://wiki.mozilla.org/CA/Changing_Trust_Settings, but this must be for an earlier version. I don't seem to have an Options/Preferences window. On the other hand I am pretty old & maybe just can't find it....

Any hints on how to do this?

I want to delete all my web certs except for the top seven, which cover 99.32% of current web certs. I specifically do NOT want the EU Cyber Resilience Act to have the ability to insert their certs into my root store, enabling their member countries unfettered power to compel acceptance of their certs. I tried following https://wiki.mozilla.org/CA/Changing_Trust_Settings, but this must be for an earlier version. I don't seem to have an Options/Preferences window. On the other hand I am pretty old & maybe just can't find it.... Any hints on how to do this?

All Replies (6)

more options

Options changed to Settings a few years ago. On the Settings page, in the tiny search box, slowly type cert and Firefox will filter to the relevant section.

more options

Well, I spoke too soon!

I deleted a bunch of certs, clicked ok, & then re-entered the cert viewing window, & they were all back! I seem to be unable to permanently delete anything...

Assuming we get this figured out, could we maybe get this window larger? It is pretty small.

I noted that I could only delete the sub-entries within a cert, & then the main entry disappeared, or I would have killed it too. Can't select more entries than within one cert :(

Could we make this process a continuous window, with select (unselect) boxes to enable / disable each entry?

more options

There is a grippy control in the lower right corner to make the dialog taller.

Yes, you need to delete/distrust certificates individually.

I don't have any Builtin certs that I want to distrust unless I know the steps to reverse that, so I haven't tested the steps in the wiki page myself.

more options

Under what heading do these certificates appear? Under Authorities or under one of the others? You can only distrust a built-in root certificate (Builtin Object Token) and disable all its trust bit, so it can no longer be used as a root certificate. If you close and restart Firefox that these changes should be saved in cert9.db Current releases may no longer store intermediate certificates (designated as Software Security Device) for built-in root certificates, but automatically retrieve them in most cases.

more options

I do App Menu / Settings / Find "Cert" / View Certificates / Certificate Manager / Authorities and I save after deleting entries. I have been revisiting without restarting Firefox, will try that now. Deleted the two AC Camerfirma S.A. entries & it disappeared. Restarted Firefox. They are back.

I would like to delete all Certs other than Internet Security Research Group, DigiCert, Sectigo, Google Trust Services, GoDaddy, Microsoft, & IdenTrust Commercial Root CA1. I am informed from Steve Gibson SecurityNow podcast SN-951 Notes pages 13 & 14 that the above certs account for 99.32% of all current certs.

This podcast also states on pages 11 - 13, that the EU intends: ● Mandatory Trust in EU-Approved CAs: Browsers will be required to trust certificate authorities approved by each European member state. This could lead to scenarios where the government forces the trust of CAs that put global users at risk. ● EU to Override Browser CA Trust Decisions: In cases where an EU investigation does not lead to the withdrawal of a certificate's qualified status, the EU can request browsers to end precautionary measures, forcing them to trust the associated CA.

I want to prevent the potential for the EU to do this.

more options

Do you have enabled on about:config => security.enterprise_roots.enabled => true as that will Firefox import certificates from the MS certificate store ?

Normally it takes years to get a root certificate added to Firefox as there are a lot of questions that need to be answered and verified.