When managing certificate authorities on Red Hat Enterprise Linux 8, you might encounter a frustrating scenario where attempting to remove a root CA certificate returns a read-only error:
sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"
(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificateRHEL 8's certificate storage has multiple layers:
- /etc/pki/ca-trust/source/anchors/ - Admin-managed certificates (writable)
- /usr/share/pki/ca-trust-source/ - Vendor-provided certificates (read-only)
The error occurs when trying to modify certificates in the read-only system directories where pre-installed CAs reside.
Method 1: Blacklisting the Certificate
Create a blacklist entry instead of deleting:
sudo trust anchor --blacklist "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"Method 2: Manual Removal from Trust Source
For persistent removal:
# First make the directory writable
sudo mount -o remount,rw /
# Then remove the certificate
sudo rm /usr/share/pki/ca-trust-source/<certificate_file>.p11-kit
# Update trust store
sudo update-ca-trust
# Optional: Return to read-only
sudo mount -o remount,ro /Method 3: Override with Empty Certificate
Create an empty file in anchors directory:
sudo touch /etc/pki/ca-trust/source/anchors/bad-cert.crt
sudo update-ca-trust extractAfter removal, verify with:
trust list | grep -i "certificate name"
# Or for PKCS#11:
p11tool --list-all pkcs11:Before proceeding:
- Backup your certificate store:
sudo cp -r /etc/pki/ ~/pki_backup - Some applications may maintain their own trust stores
- System updates may reinstall vendor certificates
When managing certificates on Red Hat Enterprise Linux 8, administrators occasionally need to remove root CA certificates from the system-wide trust store. The standard method using trust anchor --remove may fail with a "read-only certificate" error, as shown in this example:
sudo trust anchor --remove --verbose "pkcs11:id=%c6%41%4f%df%64%5d%6c%2c%7b%ca%bc%bd%3e%b2%d4%85%cd%59%a7%49;type=cert"
(p11-kit:2482) remove_all: removing certificate: 19
p11-kit: couldn't remove read-only certificate
RHEL 8 uses p11-kit for certificate management, which maintains certificates in different locations:
- System-wide certificates:
/etc/pki/ca-trust/source/anchors/ - User-specific certificates:
~/.pki/nssdb/ - Read-only system certificates:
/usr/share/pki/ca-trust-source/
For certificates in the read-only system location, try these approaches:
Method 1: Blacklisting the Certificate
sudo mkdir -p /etc/pki/ca-trust/source/blacklist/
sudo cp /usr/share/pki/ca-trust-source/certificate.crt /etc/pki/ca-trust/source/blacklist/
sudo update-ca-trust
Method 2: Direct File System Removal (Advanced)
# First identify the certificate file
sudo find /usr/share/pki/ca-trust-source/ -type f -name "*.p11-kit" | xargs grep -l "C6:41:4F:DF:64:5D:6C:2C:7B:CA:BC:BD:3E:B2:D4:85:CD:59:A7:49"
# Then remove the certificate entry from the bundle file
sudo sed -i '/C6:41:4F:DF:64:5D:6C:2C:7B:CA:BC:BD:3E:B2:D4:85:CD:59:A7:49/d' /usr/share/pki/ca-trust-source/*.p11-kit
sudo update-ca-trust extract
After performing removal operations, verify the certificate is no longer trusted:
trust list | grep -A5 "Your CA Name"
# Or using openssl
openssl x509 -noout -text -in /path/to/certificate.crt | grep -A1 "Subject:"
For applications that support their own certificate stores (like Chrome, Java, etc.), consider:
# For Java
keytool -delete -alias your_ca_alias -keystore $JAVA_HOME/lib/security/cacerts
# For Firefox
certutil -D -n "Your CA Name" -d sql:$HOME/.mozilla/firefox/*.default
To avoid similar issues in the future:
- Always install custom CAs in
/etc/pki/ca-trust/source/anchors/rather than system locations - Consider using certificate blacklisting instead of removal when possible
- Document all CA changes for easier troubleshooting