Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Removing compromised system root certificates System
This hint shows how to remove the Diginotar System Root certificate. You must be an administrator to take this action.

Open KeyChain Access, and select System Roots under Keychains. Type 'diginotar' in the search field on the upper right. When I did this only a single certificate was left in the list of certificates. Select that certificate and press the delete key. Confirm that you want to delete it, and expect to enter your password.

Note: I right clicked on this certificate and selected 'delete' a couple of times but that did nothing.

[crarko adds: This hint was actually submitted prior to the release of Apple Security Update 2011-005 for Lion and Snow Leopard. That update handles this issue for those versions of the OS, but there is no update for Leopard or earlier systems, so these still require manual fixing. For stronger measures than what is included in this hint, I refer you to this excellent article on the subject.]
  • Currently 3.14 / 5
  You rated: 1 / 5 (7 votes cast)

Removing compromised system root certificates | 2 comments | Create New Account
Click here to return to the 'Removing compromised system root certificates' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Removing compromised system root certificates
Authored by: negritude on Sep 14, '11 08:04:19PM

My hint is better, since it removes ALL the compromised certificates, and works when using Keychain Access does not:

If you're still using Leopard or earlier and wish to remove the compromised certificates, you can do so manually by issuing the commands below in terminal (you need an admin account). This works even when attempting to untrust or delete the certificates via Keychain Access does not:

sudo security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain

sudo security delete-certificate -Z 59AF82799186C7B47507CBCF035746EB04DDB716 /System/Library/Keychains/SystemRootCertificates.keychain

sudo security delete-certificate -Z 101DFA3FD50BCBBB9BB5600C1955A41AF4733A04 /System/Library/Keychains/SystemRootCertificates.keychain

Also, if you want to be completely safe, you should remove DigiNotar's Extended Validation Certificate listing from EVRoots.plist. To edit that file you need to be root, and the simplest way I found was to enter the following command in a terminal:

sudo "/Developer/Applications/Utilities/Property List List Editor" /System/Library/Keychains/EVRoots.plist

This gives the Property List Editor the necessary privileges to be able to save the file once you're done editing. Your copy of the PLE may be located in a different directory, and if so, you'll need to change the path appropriately.

Now look for the line that has this number:


Select it. Then click Delete in the menu. Then exit the Property List Editor. You'll be asked to save the file before it closes.

[ Reply to This | # ]
Removing compromised system root certificates
Authored by: CyberSkull on Sep 16, '11 05:05:49PM

Changes to search results in Keychain Access will not show up unless you modify the search by at least 1 character (add or delete).

[ Reply to This | # ]