How to delete DigiNotar CA certificate from Firefox

DigiNotar B.V., a unit of VASCO Data Security International, Inc., is an Internet Trust Service Provider based in the Netherlands. Part of their business involves issuing digital certificates. In other words, they are a CA, or Certificate Authority.

You use digital certificates when you access a secure website, for example. If the certificate presented to your browser by the website is valid, no problem. But if for any your browser does not trust the website’s certificate, it will throw up a page complaining that the website’s certificate is not valid, or has expired. And you will usually be given the choice to issue a security exception or exit from the session.

Unless you can verify by some other means, issuing security exceptions for invalid or expired certificates is a very bad idea. As paranoid as I can be about security matters, I have been guilty of that several times. I will have to raise my level of cautiousness to another level.

In any case, DigiNotar’s security system was compromised and they failed to notify everybody they were supposed to. A result of that breach is that fake certificates were issued – in DigiNotar’s name – for Mozilla, WordPress, Yahoo!, the TOR Project, and some other websites.

Most of the original press coverage is not in English, but Swa Frantzen has translated some of the published materials from Dutch.

The extent of the damage, or potential for damage, is so bad that The Mozilla Foundation, publishers of the Firefox Web browser, revoked digital certificates issued by DigiNotar. Bad news.

Update: The alleged hacker behind the DigiNotar breach has said that “I have access to 4 more so HIGH profile CAs, which I can issue certs from them too which I will.”

If you are using Firefox or other re-branded Web browser derived from it, and updates have not been available yet, delete DigiNotar from the list of Certificate Authorities.

Here’s how to do it.

From the browser’s menu, select Edit > Preferences. The Preferences window, shown below, should open. Click on “Advanced,” then on the Encryption tab, then on “View Certificates” button.
Firefox Preferences

Scroll down until you see the entry for DigiNotar. Select it, then click on Delete.
List of Digital Certificates

Exactly what we want to happen. OK. Back to the previous window, click OK to close it, then click Close on the Preferences window.
Delete DigiNotar Certificate

That should do it.

Related Posts

Dual-boot Ubuntu 14.04 & Windows 7 on a PC with 2 HDDs and UEFI firmware This post shows how to dual-boot Ubuntu 14.04 and Windows 7 on a computer with two hard disk drives (HDD) and UEFI firmware. The test computer used fo...
Dual-boot Linux Mint 17.1, Windows 7 on a PC with UEFI firmware After Linux Mint 17 was released back in mid-2014, I published How to dual-boot Linux Mint 17 and Windows 8 on a PC with UEFI firmware. Now that Linux...
Sabayon 5.3 installation guide One of the best features introduced in Sabayon 5.3, the latest upgrade to the Gentoo-based, multi-purpose Linux distribution is the installer. The old...
Best IDEs for Octave, Python and R Code-wise, I've been getting my hands dirty with some digital grease over the past few months, and it's been fun. Most of the fun has resolved around ...
How to reset passwords on Fedora 21 and 22 Thanks to a very strict password policy and one too many passwords to remember, I managed to forget both the root and user account passwords of a test...
How to install Steam Client on Fedora 20 This tutorial shows how to install Steam on Fedora 20 (install Steam on Fedora 20). Fedora 20 is the latest edition of the popular, multi-purpose Linu...

We Recommend These Vendors and Free Offers

Launch an SSD VPS in Europe, USA, Asia & Australia on Vultr's KVM-based Cloud platform starting at $5:00/month (15 GB SSD, 768 MB of RAM).

Deploy an SSD Cloud server in 55 seconds on DigitalOcean. Built for developers and starting at $5:00/month (20 GB SSD, 512 MB of RAM).

Want to become an expert ethical hacker and penetration tester? Request your free video training course of Online Penetration Testing and Ethical Hacking

Whether you're new to Linux or are a Linux guru, you can learn a lot more about the Linux kernel by requesting your free ebook of Linux Kernel In A Nutshell.


12 Comments

  1. http://www.wiseowl.co.uk/blog/s241/deleting_digital_certificates.htm

    here is how to delate certificates fro Windows but not from firefox

    below how to delate from firefox

  2. You need to delate cert8.db and key3.db , but in special way. Because if you delate them normally , they will reappear.
    So create by using notepad new files and name them: cert8.db and key3.db and change these new files with old.

    Your firefox will be without any certificate, but a problem is that firefox doesn’t want to work with these changed cert8.db and key3.db

    So you can not run web browser ( firefox).

    I think that firefox check these to files before start but if someone know how to fix and run firefox with these changed files, it would be great.

    Anyway maybe someone has working cert8.db and key3.db files without certificates , so please send me a link.

  3. My certificate just keeps coming back too… it’s driving me mad.

    Does anyone know a way of getting rid of it forever? Or is change of browser the only option?

    I’d miss Firefox so!

  4. Pingback: چگونه DigiNotar CA certificate را در فایرفاکس حذف کنیم | GilAsus

  5. It is no useless to delete that certificate for one simple reason: if another one is presented and the user is not paying enough attention or is not aware, he can be tricked and click accept – bam ! There it is again.

    What you have to do is to revocate the trustfulness of the DigiNotar certificates, but since there are several indentifying DigiNotar (and Comodo) it is better to actually apply the Firefox fix, which will dump all the known certificates already revocated.

    If you still want to act manually, instead of deleting, click edit and uncheck the 3 trust boxes.

    Now, bear in mind that this is *NOT* a Firefox only issue. Every application that does SSL will use certificates and it is much more practical for these “other” applications to use the underlying SSL provided by the operating system. That said, besides Firefox, Komodo, Thunderbird would also suffer without a fix.

    SO, look also for a fix issued by your Linux distro.

  6. It doesnt help to remove the Diginotar certificate. It keeps reappearing!

  7. I don’t see Diginotar on the list.

  8. Pingback: Untrust DigiNotar in Firefox « 0ddn1x: tricks with *nix

  9. If I have admin privileges on my system, how do I delete the cert from the entire system for _all_ users (current and future)?

  10. Pingback: Life is a State of Mind : Computer and Browser Security Alert

  11. Pingback: Links 5/9/2011: Android 3.2 Tablets, Cablegate Everywhere | Techrights

  12. Thanks,this was very helpful.

Leave a Comment

Your email address will not be published. Required fields are marked *

*