I've been experimenting with certificate management on Windows 11 and encountered some strange behavior. I went to certmgr, navigated to Trusted Root Certification Authorities, and selected the 'ISRG Root X1' certificate, which is actively used by Let's Encrypt. I then disabled all trust purposes for this certificate and rebooted my system, thinking perhaps the chain of trust was cached. However, I was surprised to find that browsers, including Edge and Firefox, still recognized 'ISRG Root X1' as a valid root certificate. Is there a cache I need to clear, or how can I ensure I don't trust a specific root certificate anymore?
3 Answers
If you're serious about understanding Public Key Infrastructure (PKI), you'll want to delve into that topic more comprehensively. Just disabling purposes on a certificate won't work as expected, especially since some browsers might maintain their own certificate stores. You might want to check out resources or tutorials that cover the foundations of PKI to make sense of this behavior.
To really stop trusting a root certificate, you need to remove it entirely from the Trusted Root Certification Authorities list. Simply disabling its purposes doesn't actually revoke its trust; it's still there, just not supposed to serve as a trusted certificate for certain activities.
You can't change the capabilities of a certificate once it's issued. If you no longer trust it, your best bet is to delete the certificate. Some systems even allow you to manage this through group policies if you're in an enterprise environment.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures