Untrusting an intermediate CA on OS X

Intermediate CAs are certificates signed by a root CA that can sign arbitrary certificates for any websites.

They are just as powerful as root CAs, but there's no full list of the ones your system trusts, because root CAs can make new ones at will, and your system will trust them at first sight. There are THOUSANDS logged in CT.

This month an interesting one popped up, generated apparently in September 2015: "Blue Coat Public Services Intermediate CA", signed by Symantec. (No certificates signed by this CA have reached the CT logs or Censys so far.)

I thought it would be a good occasion to write up how to explicitly untrust an intermediate CA that would otherwise be trusted in OS X. It won't stop the root CA from handing a new intermediate to the same organization, but better than nothing.

EDIT: for Windows instructions see here.

  1. Download the certificate you want to untrust (for example the BlueCoat one, because LOLNOWTF) and open it.
    Keychain Access
  2. You'll be dropped into Keychain Access, double click on the certificate you just imported. So far it's neither trusted nor untrusted.
    Cert view
  3. Click on Trust and select "Never Trust" in the first dropdown. Close the window, you'll be asked your password.
    Red X
  4. A reassuring red X will appear on the CA icon and your system won't trust certificates signed by it even if it's signed by a trusted root CA.
  5. EDIT: Finally, drag the certificate on the "System" keychain on the left to make the policy apply to all users.

For more tips to fight the hopeless battle of TLS trust, follow me on Twitter.