Poupou's Corner of the Web

Since all the previously mentioned certificates were issued by a single certificate authority you also have the option of removing only this CA from those mozroots installed. Note that this:

• does not solve the root (pun intended) issue. The same situation can occurs with other CA (from the same or a different company);
• will remove the trust from all certificate signed (past and future) by this CA.

Instructions

First check how many certificates you have installed in your Trust store:

~ @ certmgr -list -c Trust | grep "Unique Hash" | wc -l
140

Next remove the CA root certificate that signed all those bad certificates:

~ @ certmgr -del -c Trust 89B5351EC11451D06E2F95B5F89722D527A897B9

Finally validate that the certificate was removed.

~ @ certmgr -list -c Trust | grep "Unique Hash" | wc -l
139

~ @ certmgr -list -c Trust | grep "UTN-USERFirst-Hardware"

If the number was decreased by one and the string UTN-USERFirst-Hardware can't be found anymore then this batch of bad certificates won't affect you.

Note: Repeat the above steps with -m if you installed root certificates on the machine store.