How to Remove China CNNIC Root CA from Debian

By | 2015/04/10

Google removed the CNNIC Root CA from all Google products. For security, this CA should also be removed from your Debian stash of trusted Root CAs.

1. Configure the package ca-certificates with:

$ sudo dpkg-reconfigure ca-certificates


2. At the first prompt Trust new certificates from certificate authorities, select YES and hit enter.


3. At the next prompt, locate the following entry and press the space bar to uncheck:

[ ] mozilla/CNNIC_ROOT.crt    

4. When finished, press TAB and then press Enter to save and close.

The output in the terminal will look similar to:

smiller@bruckner:~$ sudo dpkg-reconfigure ca-certificates
Processing triggers for ca-certificates (20141019) ...
Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Removing debian:CNNIC_ROOT.pem