Description of problem: Per the docs[1], the following should remove a system cert from the system trust store: trust anchor --remove path.to/certificate.crt Version-Release number of selected component (if applicable): [root@fedora-cloud ~]# rpm -qf /usr/bin/trust p11-kit-trust-0.24.1-3.fc37.x86_64 [root@fedora-cloud ~]# rpm -qi p11-kit-trust-0.24.1-3.fc37.x86_64 Name : p11-kit-trust Version : 0.24.1 Release : 3.fc37 How reproducible: Every time. Steps to Reproduce: 1. find a cert: trust list 2. remove the cert: trust anchor --remove <cert> Actual results: [root@fedora-cloud ~]# sudo trust anchor --remove "pkcs11:id=%BD%88%87%C9%8F%F6%A4%0A%0B%AA%EB%C5%FE%91%23%9D%AB%4A%8A%32;type=cert" p11-kit: couldn't remove read-only certificate p11-kit: 1 error while processing Expected results: It should remove the cert. Additional info: [1] https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/
Originally reported in upstream cloud-init. https://github.com/canonical/cloud-init/pull/1962#issuecomment-1382915160
I would say this is a documentation issue. Basically, only certificates installed with `trust anchor --store` can be removed with `trust anchor --remove`. If you want to pre-populate certain certificates on an immutable media, I would suggest simply add/remove them under /usr/share/pki/ca-trust-source/anchors or /usr/share/pki/ca-trust-source/blocklist.
I have file a PR to update the documentation: https://pagure.io/fedora-docs/quick-docs/pull-request/556
The fixed documentation has been published: https://docs.fedoraproject.org/en-US/quick-docs/using-shared-system-certificates/ I'm closing as NOTABUG for now, but feel free to reopen if anything can be done from the tooling side.