These instructions will walk you through marking a particular SSL certificate authority's CA certificate, and by extension all SSL certificates issued (signed) by this CA, as untrusted in the respective web browser or operating system.


  1. Open Firefox preferences:


    From the Tools menu select Options

    OS X 

    On the menu bar, from the Firefox menu select Preferences 


    From the Edit menu select Preferences 

  2. Click on the Advanced panel
  3. Select the Encryption tab
  4. Click View Certificates
  5. In the Certificate Manager window, select the Authorities tab
  6. Scroll down to the desired certificate authority and select the appropriate CA certificate
  7. Click Delete or Distrust…
  8. Click OK to confirm

Internet Explorer / Windows

  1. Open the Microsoft Management Console:


    Click Start > Run, and type mmc 

    Vista / 7 

    Click Start, and type mmc in the search box 

  2. On the File menu, select Add / Remove Snap-in…
  3. From the list of available snap-ins, double-click Certificates (if prompted, choose to manage certificates for Computer account, then choose Local computer)
  4. From the Action menu, choose Find certificates…
  5. Type the certificate authority into the Contains field and click Find Now
  6. Right-click on the desired CA certificate in the results list and select Properties
  7. Under Certificate purposes, select Disable all purposes for this certificate
  8. Click OK

Safari / OS X

  1. Launch the Keychain Access app from Applications > Utilities
  2. On the left, under Keychains select System Roots, and under Category select Certificates
  3. Find the desired CA certificate in the list and double-click it
  4. Click the triangle to expand the Trust section
  5.  Change When using this certificate to Never Trust
  6. Close the certificate window


  1. From the Customize and control Chrome menu (wrench icon to the right of the address bar), select Preferences
  2. Select Under the Hood from the left pane
  3. Under HTTPS/SSL, click the Manage Certificates… button
  4. Select the Authorities tab
  5. Scroll down to the desired certificate authority and select the appropriate CA certificate
  6. Click Edit…
  7. Under Edit trust settings, uncheck all items
  8. Click OK


  1. Edit /etc/ca-certificates.conf and prepend an exclamation mark to the appropriate CA certificate. For example, to remove DigiNotar_Root_CA edit the line to look as follows:
  2. As root, run the following command: