[arch-dev-public] How to disable the DigiNotar root cert on Arch

Pierre Schmitz pierre at archlinux.de
Tue Aug 30 16:24:33 EDT 2011

Hi all,

there was another incident with a CA. See
for more details. If you like to distrust this issuer you'll find a
howto for Firefox at

For other apps that use our ca-certificates package (by Debian) You can
easily disable the root cert by issuing the following commands as root:

sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!\1#g' -i

This information is just for those who are curious. There is most
likely no need to panic for those people; especially if you don't live
in Iran. And if you do its probably too late as the issuer was
compromised two month ago. And I thought the Comodo incident was already
pure night mare...

The whole CA structure we base our SSL security on is a mess imho.
Blindly shipping a bunch of certificates to our users does not seem to
be the best idea any more. Unfortunately there is no real alternative



Pierre Schmitz, https://users.archlinux.de/~pierre

More information about the arch-dev-public mailing list