This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Deleted certificate comes back undeleted

  • 15 majibu
  • 3 wana tatizo hili
  • 47 views
  • Last reply by egbertst1

more options

Version: 91.0.1 Settings--> Privacy and Security -->View Certificates-->Your certificates--> pick target cert to delete-->click ok on confirmation window --> click ok on Certificate manager window.

Restart FF, Settings--> Privacy and Security -->View Certificates-->Your certificates, the deleted cert is on the list again.

The same happens on that under Authorities.

Version: 91.0.1 Settings--> Privacy and Security -->View Certificates-->Your certificates--> pick target cert to delete-->click ok on confirmation window --> click ok on Certificate manager window. Restart FF, Settings--> Privacy and Security -->View Certificates-->Your certificates, the deleted cert is on the list again. The same happens on that under Authorities.

All Replies (15)

more options

If it is decided not to trust an existing root CA cert, but there is no way to delete it, isn't this a SECURITY issue?

more options

Note that under Authorities you can only permanently delete cached intermediate certificates that show as "Software Security Device" and not Built-in root certificates that show as "Builtin Object Token" (you can distrust a root certificate, but that is not recommended).

You can rename the cert9.db file (cert9OLD.db) and remove the previously used cert8.db file in the Firefox profile folder with Firefox closed to remove intermediate certificates and exceptions that Firefox has cached. You can do the same with cert_override.txt.

If this has helped to solve the problem then you can remove the renamed cert9OLD.db file. Otherwise you can undo the rename and restore cert9.db.

You can use the button on the "Help -> More Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

more options

I already tried out the suggested way of deleting the cert9.db file. I even found a backup copy and deleted that also. I restarted the system after the deletion. A new cert9.db was recreated. The deleted cert came back. I suspect there must be some other sources FF uses to create the cert9.db file. If that source remains unchanged, the new cert9.db would have the same content as before.

more options

If you remove cert9.db then root certificates you distrusted (i.e. you removed all its trust bits) will reappear, but cached intermediate certificates and certificates you installed should be gone. Firefox will automatically cache intermediate certificates send by servers you (re)visit and those certificates show as "Software Security Device" under Authorities.

more options

So back to my original question: How to remove the root CA certificate that I once installed?

more options

A root certificate has trust bits set, so you can edit this root certificate and clear all its trust bits to prevent the certificate from working as a trusted root certificate or you can remove the certificate yourself in the certificate manager if you installed this certificate.

more options

' you can remove the certificate yourself in the certificate manager if you installed this certificate.' The question is HOW? Where is the certificate manager in FF? I know how to do this in IE, but not in FF.

more options

You posted the steps to go to the certificate manager in your question:

  • Settings--> Privacy and Security --> Certificates --> View Certificates --> Authorities
more options

Right, you missed the second part that's the heart of the issue(I marked with !!!!!!!!!!), ie the deleted cert COMES BACK.

My previous post was: Settings--> Privacy and Security -->View Certificates-->Your certificates--> pick target cert to delete-->click ok on confirmation window --> click ok on Certificate manager window.

!!!!!!!Restart FF, Settings--> Privacy and Security -->View Certificates-->Your certificates, the deleted cert is on the list again.

!!!!!!!The same happens on that under Authority

more options

Yes same for me.. since their update.. I no longer can access work internal sights using company VPN. I have tried to remove the certs as I think they are causing conflict.. but they keep coming back.. fallowed the instructions here too and still comeback... Please FF fix the issue otherwise I have to migrate browser. :((

more options

I have just realized that those certs that re-appear are under Security Device named OS Client Cert Token (Modern). What is OS Client Cert Token? How to remove OS Client Cert Token?

more options

Maybe:

  • about:config => security.osclientcerts.autoload =false
more options

What the hey! This is highly frustrating for enterprise sys administrators.

Now I gotta figure out how to deploy the `cert_override.txt` file along with the company-specific Firefox-ESR package.

Even if I deployed it, the `cert_override.txt` gets blown away by the corporate end-user.

Worst yet, how do we even craft this `cert_override.txt`?

Is there a better way to permanently override the compiled-in version of the Firefox’s Root CAs?

Sheesh, now I am building a company-specific Firefox-ESR.

Modified by egbertst1

more options

Hi egbertst1

Since you want to deploy Firefox, best is to ask this question at the Firefox for Enterprise forum. See "Still need help? -> Ask the community":

more options

Looks like if you are on a Debian Linux system, that you want to use the `trust` command (part of `p11-kit`.

A couple of things to try and remove persistent "trusted anchor" certs are:

   sudo update-ca-certificates --fresh

or

   trust list

Make a note of the the pks11:id=XXXXXXX, and execute:

   trust anchor --remove pkcs11:id=%DD%E1%6C%53%5A%B8%35%43%E6%D3%A9%71%19%01%D9%FB%FE%4C%16%C6

More and more distros are moving into this shared library for handling of "SHARED ANCHOR CERTIFICATES"

Modified by egbertst1