How to Remove China CNNIC Root CA from Debian

By | 2015/04/10

Google removed the CNNIC Root CA from all Google products. For security, this CA should also be removed from your Debian stash of trusted Root CAs.

1. Configure the package ca-certificates with:

$ sudo dpkg-reconfigure ca-certificates


2. At the first prompt Trust new certificates from certificate authorities, select YES and hit enter.


3. At the next prompt, locate the following entry and press the space bar to uncheck:

[ ] mozilla/CNNIC_ROOT.crt    

4. When finished, press TAB and then press Enter to save and close.

The output in the terminal will look similar to:

smiller@bruckner:~$ sudo dpkg-reconfigure ca-certificates
Processing triggers for ca-certificates (20141019) ...
Updating certificates in /etc/ssl/certs... 0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Removing debian:CNNIC_ROOT.pem

One thought on “How to Remove China CNNIC Root CA from Debian

  1. Stan Williams

    Thank you sir!
    I had somehow missed this.
    I just removed it on this PC and I will on the others later.


Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.