How to Remove a Root Certificate

Instructions for removing roots for Apple, Microsoft, and Mozilla.

Need to know how to remove a root certificate? You’re in the right place.

Digital Certificates, but for our explicit purposes, SSL Certificates, all have to be chained back to a trusted root certificate. This is called certificate chaining and it’s the way trust is established.

When you’re on the internet your browser has been taught to be skeptical—it doesn’t just grant trust freely to whatever website it stumbles across. When your browser arrives at a website that presents a digital certificate, it checks to make sure that the certificate chains back to a trusted root. This is why you may sometimes be asked to install intermediate certificates along with your SSL—you’re helping to complete the certificate chain.

To aid in this chaining process on the browser side, each of the major browsers has a trusted root store that contains a set of pre-downloaded X.509 certificates (that’s a fancy way of saying Digital Certificates). These roots are all highly-guarded, owned by Certificate Authorities that store their private keys offline on private hardware tokens in highly-secured data centers. There are four major root stores, Apple and Microsoft each have one as OSs. Mozilla maintains its own root store. And there’s also an Android root store as well. It’s also worth noting that Google Chrome, America’s most popular browser, uses the root store provided by whatever OS you’re using.

The browsers may not trust any random digital certificate, but they trust the roots in their trust store and as long as your certificate chains back to one of those, the browsers will afford it trust, too.

But what happens when something goes wrong with one of those roots? What happens when you need to distrust one? While the browsers will work to remove the root from the list in their next update, you may need to remove the root now. So how do you do it?

Here are step-by-step instructions on how to remove a root certificate from Windows, Apple, Mozilla and then one iPhone and Android phone, too.

How to Remove a Root Certificate from Windows 10/8

Removing a Root Certificate from the Windows trust store is fairly straightforward, but before we go any further I want to add a quick disclaimer. Be careful. Messing with your root certificates can cause serious issues.  We recommend that you back up your computer before proceeding with any of the following steps. We will not be held liable for any issues that arise from following these instructions.

Ok, now that we’re done with that, let’s get started.

1. Press the Windows or Start button, then type “MMC” into the run box. This will launch Microsoft Management Console.
2. Select File, then Add/Remove Snap-In
3. Select “Certificates” from the field on the left, then click Add.
4. On the next window, choose “Computer Account,” then select “Local Computer,” click OK.
5. In MMC, select the arrow beside “Certificates (Local Computer),” this will reveal the certificate stores.
6. Select the arrow beside the Root Certificate you would like to remove/disable, the click the “Certificates” folder.
7. Find the certificate you’re trying to delete in the list, right-click it and choose “Properties.”
8. Select “Disable all purposes for this certificate,” click Apply.
9. Now, just restart your machine.

How to Remove a Root Certificate from Windows

We got asked how to remove a root certificate on Windows 7 recently, so we’ve updated this article with instructions on removing roots on the Windows 7 OS.

1. Press the Windows or Start button, then type “MMC” into the run box. This will launch Microsoft Management Console
2. Select File, then Add/Remove Snap-In
3. Click the Certificates heading in the console tree that contains the root certificate to you want to delete.
4. Select the certificate that you want to delete.
5. In the Action menu, click Delete.
6. Click Yes.

How to Remove a Root Certificate on Apple

When deleting a root certificate on an Apple machine, much like with Windows, you will need to have administrator access in order to access your trust store. Once again, you can mess up your machine this way if you’re not careful—so be careful.

1. With the Finder selected, click Go and select Utilities (alternatively, press Shift + Command + U)
2. Double-click on KeyChain Access, select System Roots.
3. Find the root certificate you want to delete and double-click on it.
4. In the window that pops up, under “Trust,” select “When using this certificate” and choose “never trust.”

How to Remove a Root Certificate on Mozilla

Unlike Google Chrome, Mozilla’s Firefox browser uses its own proprietary trust store that is maintained by individuals at the Mozilla organization. In order to remove a root, you’ll have to access the trust store through your browser.

1. Click on the Firefox menu and then select Options.
2. Select Advanced and then click on the “Certificates” tag.
3. Click View Certificates.
4. Select the “Authorities” tab, find the Root Certificate you would like to delete, then click the “Delete or Distrust” button.
5. In the following box, make sure the correct Root Certificate is selected and then click OK.

How to Remove a Root Certificate from an iPhone or iPad

Mobile devices have overtaken desktop computers as the primary way that most people surf the internet. This means that your phone now has the task of chaining certificates and verifying trust. As such, you may be forced to occasionally manage Root Certificates on your mobile device. Here’s how to do it on an iPhone (iPads, too).

1. Open your Settings on the Home screen, select General.
2. Select Profile (if you don’t see any profiles, there’s nothing to delete).
3. Choose the Profile you want to delete.
4. Select Delete Profile.
5. Enter your pass code (if prompted).
6. Select Delete one more time to confirm.

Related: How to trust manually installed roots in macOS High Sierra

How to Remove a Root Certificate from an Android Device

Finally, Android. Android phones have their very own trust store, which needs to be managed just like any other. Here’s how to do it.

1. Open your Settings, select Security.
2. Choose Trusted Credentials.
3. Select the certificate you’d like to remove.
4. Press Disable.

We saved the easiest for last! Hopefully this helps you, as always if you have any questions leave them in the comments section and I’ll be happy to answer them for you!

*** This is a Security Bloggers Network syndicated blog from Hashed Out by The SSL Store™ authored by Patrick Nohe. Read the original post at: https://www.thesslstore.com/blog/how-to-remove-a-root-certificate/