CA certificates can guarantee the core foundation of HTTPS encrypted communication, software signature verification and identity authentication. CA certificates need to be deleted in a timely manner when they expire, are revoked or pose security risks. If not deleted in time, it may cause man-in-the-middle attacks, privacy leaks or system compatibility issues. Here is a sharing of the process for deleting a CA certificate!

I. The Core Role of CA Certificates and the Necessity of Deletion

CA certificates are divided into two categories: root certificates and intermediate certificates, both of which are issued by trusted certificate authorities. The root certificate, as the starting point of the trust chain, is used to verify the legitimacy of the intermediate certificate. Intermediate certificates directly issue SSL certificates to end users or devices. For example, when visiting an HTTPS website, the browser will verify the trust chain composed of "website certificate → intermediate certificate → root certificate" step by step to ensure communication security. When certificates expire or are revoked, test certificates remain, malicious certificates are implanted, or when system optimization requirements arise, CA certificates need to be deleted.

Ii. Key Preparations before deletion: Identification and backup

Before deleting a CA certificate, it is necessary to clarify the specific information of the target certificate to avoid service interruption caused by accidental deletion. View the certificate fingerprint and the issuer. Windows opens the certificate manager via certlm.msc (Local Computer Certificate) or certmgr.msc (Current User Certificate). In the "Trusted Root Certificate Authority" or "Intermediate Certificate Authority" directory, Double-click the certificate to view the fingerprint (SHA1 or SHA256) and issuer information in "Details"; On macOS, use the "Keychain Access" tool, select the "System" or "Login" keychain, filter the "Certificate" category, and view the certificate properties. Linux parses the certificate content through the command line openssl x509 in /path/to/cert.crt text noout.

Even if deletion is confirmed, the certificate still needs to be backed up (usually in.crt,.pem or.cer formats) for emergency recovery. In Windows, you can right-click to export the certificate. Drag the certificate to the desktop in macOS to copy it.

Use the certutil verify (Windows) or openssl verify (Linux/macOS) command to check if any applications rely on this certificate. For example:

openssl verify CAfile /etc/ssl/certs/cacertificates.crt your_domain.crt

Iii. Detailed steps for deleting CA Certificates on Multiple Platforms

The Windows system deletes through the certificate manager. Press Win + R, enter certmgr.msc (current user certificate) or certlm.msc (local computer certificate), and administrator privileges are required. Navigate to "Trusted Root Certificate Authority → Certificate" or "Intermediate Certificate Authority → Certificate", right-click on the target certificate and select "Delete", restart the system to make the changes take effect. Some services (such as IIS) require a restart to reload the certificate. The deletion of CA certificates can also be achieved using PowerShell scripts:

powershell
List all the root certificates
GetChildItem Path Cert:\LocalMachine\Root | FormatList Subject, Thumbprint

Delete the specified certificate based on the fingerprint

RemoveItem Path Cert:\LocalMachine\Root\< Certificate Fingerprint > DeleteKey

On the macOS system, open "Keychain Access" (Spotlight search for Keychain Access), select "System" or "Login" keychain on the left side, filter the "Certificate" category, right-click the target certificate and select "Delete", enter the administrator password to confirm. System-level certificates need to unlock the "System" keychain (default lock). It can be temporarily unlocked through the terminal:

sudo security unlockkeychain /Library/Keychains/System.keychain

Linux system (in Ubuntu, for example) positioning certificate store directory, usually in/usr/local/share/cacertificates/(user) or/etc/SSL/certs/(the default), delete the certificate file:

sudo rm /usr/local/share/cacertificates/malicious.crt

Update the certificate chain:

sudo updatecacertificates fresh

The CA certificate in the browser has been deleted. Chrome: Chrome uses the system certificate library and needs to follow the above system-level steps. For Firefox's independent certificate management, go to "Settings → Privacy & Security → Certificates → View Certificates", and uncheck or delete the target certificate in the "Certificate Authority" TAB. Edge/IE relies on the Windows Certificate Manager, which is consistent with the system steps.

The deletion of CA certificates is part of security protection. Everyone can systematically clear redundant or risky certificates to avoid business interruption caused by misoperation. In the current era of accelerated digital factory entry, proactively managing the certificate life cycle such as installation, update, revocation and deletion is an essential ability for enterprises or individual users to ensure data security.