If it is decided not to trust an existing root CA cert, but there is no way to delete it, isn't this a SECURITY issue?

Note that under Authorities you can only permanently delete cached intermediate certificates that show as "Software Security Device" and not Built-in root certificates that show as "Builtin Object Token" (you can distrust a root certificate, but that is not recommended).

You can rename the cert9.db file (cert9OLD.db) and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has cached. You can do the same with cert_override.txt.

• https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean

If this has helped to solve the problem then you can remove the renamed cert9OLD.db file. Otherwise you can undo the rename and restore cert9.db.

You can use the button on the "Help -> More Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

• Help -> More Troubleshooting Information -> Profile Folder/Directory:
  Windows: Open Folder; Linux: Open Directory; Mac: Show in Finder
• https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data

I already tried out the suggested way of deleting the cert9.db file. I even found a backup copy and deleted that also. I restarted the system after the deletion. A new cert9.db was recreated. The deleted cert came back. I suspect there must be some other sources FF uses to create the cert9.db file. If that source remains unchanged, the new cert9.db would have the same content as before.

If you remove cert9.db then root certificates you distrusted (i.e. you removed all its trust bits) will reappear, but cached intermediate certificates and certificates you installed should be gone. Firefox will automatically cache intermediate certificates send by servers you (re)visit and those certificates show as "Software Security Device" under Authorities.

So back to my original question: How to remove the root CA certificate that I once installed?

A root certificate has trust bits set, so you can edit this root certificate and clear all its trust bits to prevent the certificate from working as a trusted root certificate or you can remove the certificate yourself in the certificate manager if you installed this certificate.

' you can remove the certificate yourself in the certificate manager if you installed this certificate.' The question is HOW? Where is the certificate manager in FF? I know how to do this in IE, but not in FF.

You posted the steps to go to the certificate manager in your question:

• Settings--> Privacy and Security --> Certificates --> View Certificates --> Authorities

Right, you missed the second part that's the heart of the issue(I marked with !!!!!!!!!!), ie the deleted cert COMES BACK.

My previous post was: Settings--> Privacy and Security -->View Certificates-->Your certificates--> pick target cert to delete-->click ok on confirmation window --> click ok on Certificate manager window.

!!!!!!!Restart FF, Settings--> Privacy and Security -->View Certificates-->Your certificates, the deleted cert is on the list again.

!!!!!!!The same happens on that under Authority

Yes same for me.. since their update.. I no longer can access work internal sights using company VPN. I have tried to remove the certs as I think they are causing conflict.. but they keep coming back.. fallowed the instructions here too and still comeback... Please FF fix the issue otherwise I have to migrate browser. :((

I have just realized that those certs that re-appear are under Security Device named OS Client Cert Token (Modern). What is OS Client Cert Token? How to remove OS Client Cert Token?

Maybe:

• about:config => security.osclientcerts.autoload =false

What the hey! This is highly frustrating for enterprise sys administrators.

Now I gotta figure out how to deploy the `cert_override.txt` file along with the company-specific Firefox-ESR package.

Even if I deployed it, the `cert_override.txt` gets blown away by the corporate end-user.

Worst yet, how do we even craft this `cert_override.txt`?

Is there a better way to permanently override the compiled-in version of the Firefox’s Root CAs?

Sheesh, now I am building a company-specific Firefox-ESR.

Hi egbertst1

Since you want to deploy Firefox, best is to ask this question at the Firefox for Enterprise forum. See "Still need help? -> Ask the community":

• https://support.mozilla.org/en-US/products/firefox-enterprise

Looks like if you are on a Debian Linux system, that you want to use the `trust` command (part of `p11-kit`.

A couple of things to try and remove persistent "trusted anchor" certs are:

   sudo update-ca-certificates --fresh

or

   trust list

Make a note of the the pks11:id=XXXXXXX, and execute:

   trust anchor --remove pkcs11:id=%DD%E1%6C%53%5A%B8%35%43%E6%D3%A9%71%19%01%D9%FB%FE%4C%16%C6

More and more distros are moving into this shared library for handling of "SHARED ANCHOR CERTIFICATES"