How to Remove a Root Certificate
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

How to Remove a Root Certificate

Instructions for removing roots for Apple, Microsoft, and Mozilla.

Need to know how to remove a root certificate? You’re in the right place.

Digital Certificates, but for our explicit purposes, SSL Certificates, all have to be chained back to a trusted root certificate. This is called certificate chaining and it’s the way trust is established.

When you’re on the internet your browser has been taught to be skeptical—it doesn’t just grant trust freely to whatever website it stumbles across. When your browser arrives at a website that presents a digital certificate, it checks to make sure that the certificate chains back to a trusted root. This is why you may sometimes be asked to install intermediate certificates along with your SSL—you’re helping to complete the certificate chain.

To aid in this chaining process on the browser side, each of the major browsers has a trusted root store that contains a set of pre-downloaded X.509 certificates (that’s a fancy way of saying Digital Certificates). These roots are all highly-guarded, owned by Certificate Authorities that store their private keys offline on private hardware tokens in highly-secured data centers. There are four major root stores, Apple and Microsoft each have one as OSs. Mozilla maintains its own root store. And there’s also an Android root store as well. It’s also worth noting that Google Chrome, America’s most popular browser, uses the root store provided by whatever OS you’re using.

The browsers may not trust any random digital certificate, but they trust the roots in their trust store and as long as your certificate chains back to one of those, the browsers will afford it trust, too.

But what happens when something goes wrong with one of those roots? What happens when you need to distrust one? While the browsers will work to remove the root from the list in their next update, you may need to remove the root now. So how do you do it?

Here are step-by-step instructions on how to remove a root certificate from Windows, Apple, Mozilla and then one iPhone and Android phone, too.

how to remove a root certificate

How to Remove a Root Certificate from Windows 10/8

Removing a Root Certificate from the Windows trust store is fairly straightforward, but before we go any further I want to add a quick disclaimer. Be careful. Messing with your root certificates can cause serious issues.  We recommend that you back up your computer before proceeding with any of the following steps. We will not be held liable for any issues that arise from following these instructions.

Ok, now that we’re done with that, let’s get started.

  1. Press the Windows or Start button, then type “MMC” into the run box. This will launch Microsoft Management Console.
  2. Select File, then Add/Remove Snap-In
  3. Select “Certificates” from the field on the left, then click Add.
  4. On the next window, choose “Computer Account,” then select “Local Computer,” click OK.
  5. In MMC, select the arrow beside “Certificates (Local Computer),” this will reveal the certificate stores.
  6. Select the arrow beside the Root Certificate you would like to remove/disable, the click the “Certificates” folder.
  7. Find the certificate you’re trying to delete in the list, right-click it and choose “Properties.”
  8. Select “Disable all purposes for this certificate,” click Apply.
  9. Now, just restart your machine.

How to Remove a Root Certificate from Windows

We got asked how to remove a root certificate on Windows 7 recently, so we’ve updated this article with instructions on removing roots on the Windows 7 OS.

  1. Press the Windows or Start button, then type “MMC” into the run box. This will launch Microsoft Management Console
  2. Select File, then Add/Remove Snap-In
  3. Click the Certificates heading in the console tree that contains the root certificate to you want to delete.
  4. Select the certificate that you want to delete.
  5. In the Action menu, click Delete.
  6. Click Yes.
how to remove a root certificate

How to Remove a Root Certificate on Apple

When deleting a root certificate on an Apple machine, much like with Windows, you will need to have administrator access in order to access your trust store. Once again, you can mess up your machine this way if you’re not careful—so be careful.

  1. With the Finder selected, click Go and select Utilities (alternatively, press Shift + Command + U)
  2. Double-click on KeyChain Access, select System Roots.
  3. Find the root certificate you want to delete and double-click on it.
  4. In the window that pops up, under “Trust,” select “When using this certificate” and choose “never trust.”

how to remove a root certificate

How to Remove a Root Certificate on Mozilla

Unlike Google Chrome, Mozilla’s Firefox browser uses its own proprietary trust store that is maintained by individuals at the Mozilla organization. In order to remove a root, you’ll have to access the trust store through your browser.

  1. Click on the Firefox menu and then select Options.
  2. Select Advanced and then click on the “Certificates” tag.
  3. Click View Certificates.
  4. Select the “Authorities” tab, find the Root Certificate you would like to delete, then click the “Delete or Distrust” button.
  5. In the following box, make sure the correct Root Certificate is selected and then click OK.

how to remove a root certificate

How to Remove a Root Certificate from an iPhone or iPad

Mobile devices have overtaken desktop computers as the primary way that most people surf the internet. This means that your phone now has the task of chaining certificates and verifying trust. As such, you may be forced to occasionally manage Root Certificates on your mobile device. Here’s how to do it on an iPhone (iPads, too).

  1. Open your Settings on the Home screen, select General.
  2. Select Profile (if you don’t see any profiles, there’s nothing to delete).
  3. Choose the Profile you want to delete.
  4. Select Delete Profile.
  5. Enter your pass code (if prompted).
  6. Select Delete one more time to confirm.

Related: How to trust manually installed roots in macOS High Sierra

how to remove a root certificate

How to Remove a Root Certificate from an Android Device

Finally, Android. Android phones have their very own trust store, which needs to be managed just like any other. Here’s how to do it.

  1. Open your Settings, select Security.
  2. Choose Trusted Credentials.
  3. Select the certificate you’d like to remove.
  4. Press Disable.

We saved the easiest for last! Hopefully this helps you, as always if you have any questions leave them in the comments section and I’ll be happy to answer them for you!

  • Thank you so much. I was so annoyed by the notification of my network being monitored by a survey app that wasn’t even monitoring me anymore. Also learned very useful things

  • i have a android and i disabled the trusted credentials an estimated 106 and when i want to us internet browser or apps like social media or youtube too there is a message that its offline when online also on th internet the message says i can not use it because phishing or spam and scams its untrustworthy

  • I think I’ve messed up. I deleted the System Root Certificate Authority because my Firefox kept telling me it cannot work because of it. Maybe there was a virus involved in that because nothing would work anymore.
    But after deleting the root certificate authority no internet browser functions anymore; I guess it’s needed to trust the data flow. What should I do?!!? How can I get it back?
    I’m thankful for all help!!

    • It really depends on whether you have Firefox configured to use its own root store or your operating system’s root store. If you’re using Firefox’s, you should be able to just uninstall and reinstall Firefox and it will be fine. Just make sure you get rid of the settings you’ve saved so nothing holds over.

  • thanks ; i have a certificate installed in my pc (win7) , i want to delete it, when i look for it in the console , i do not find it , please help me to delete it , thanks

    • The beauty of the various root programs being administered is that’s really not a call you have to make. The root programs are constantly auditing CAs and making trust decisions FOR YOU. For instance, there was just a decision to distrust some DarkMatter intermediates that the internet community felt were not safe. As long as you trust the root store you’re using, you should be fine.

  • how do i remove a root authority in the android system so i can continue playing an android app. i tryed all but some messese up the game from connecting to the net work and then some you don’t get access at all. likecan you tell me witch is the real root authority.

  • How do I know which ones to remove? According to Administrative events, I have too many of them and so the list was truncated. It advises me to remove the ones I don’t need but I have no idea which ones I need and which ones I don’t. I’m running Windows 7 home premium (yes, still)… I like some things about it. Can you help? I believe the event occurred just before the machine went from sleep to shutdown without orders and the shutdown was not clean. It couldn’t have been because of power since it’s plugged into a UPS. Here’s what it said in Event Viewer: “When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.”

  • My imap email host wants me to delete the system certificate on Android so that a new one can be installed. Does disabling the certificate allow for it’s replacement?
    I’m having SSL problems with their server and am constantly requested to reenter my server settings for all of my email accounts, a task which resolves nothing.

  • I cannot get onto any military websites with my CAC reader. I keep getting a notification that the SSL Certificate is bad or not trusted. Is this a root issue or something worse?

  • Hi, what else can a certificate be used for? And if using an iPhone, can you delete it (it’s not showing anyway to do it), I believe someone is messing with my phone (banking apps and more keep being messed with by someone).

    Any help would be really appreciated.

  • I have an Android cell and a whole lot of my certificates are from foreign places do I need to remove those?

  • Today my chrome and opera browsers in win7 (32 bits) stopped working for wikipedia because of the expired certificate that was a bit on the news (one that expired Sept 29 or 30th), is there a way to renew it or something?

    Firefox works but all my passwords are stored in google and firefox does not support accessing passwords from the Google cloud.

    Thanks a lot in advance.

Leave a Reply

Your email address will not be published. We will only use your email address to respond to your comment and/or notify you of responses. Required fields are marked *

Captcha *


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.