Untrusting an intermediate CA in Linux?

Just to make things difficult, Linux has more than one library for working with certificates.

If you're using Mozilla's NSS, you can Actively Distrust (their terminology) a certificate using certutil's -t trustargs option:

$ certutil -d <path to directory containing database> -M -t p -n "Blue Coat Public Services Intermediate CA"

For Firefox, <path to directory containing database> is usually ~/.mozilla/firefox/<???>.profile where <???> are some random looking characters. (certutil is eg. in ubuntu's libnss3-tools package)

The breakdown is as follows:

-M to modify the database

-t p to set the trust to Prohibited

-n to carry out the operation on the named certificate

Even within NSS, not all applications share the same database; so you may have to repeat this process. For example, to do the same for Chrome, change the -d <path> to -d sql:.pki/nssdb/.

$ certutil -d sql:.pki/nssdb/ -M -t p -n "Blue Coat Public Services Intermediate CA"

However, not all applications use NSS, so this isn't a complete solution. For example, I don't believe it's possible to do this with the OpenSSL library.

As a consequence, any application that uses OpenSSL to provide it's certificate chain building (TLS, IPSec etc) would trust a chain with a Blue Coat certificate and there is nothing that you can do about it short of removing the Root CA that signed it from your trust anchor store (which would be silly considering it's a Symantec Root CA as you'd end up distrusting half the Internet), whereas applications that rely on NSS can be configured more granular to distrust any chain that has the Blue Coat certificate within it.

For example, I believe OpenVPN uses OpenSSL as it's library for certificates, therefore big brother could be listening to your OpenVPN traffic without your knowledge if you are connecting to a commercial VPN provider which uses OpenVPN. If you are really concerned about that then check who your commercial VPN provider's Root CA is - if it's Symantec/Verisign then maybe it's time to ditch them for someone else?

Note that SSH doesn't use X509 certificates therefore you can connect and tunnel using SSH without worrying about Blue Coat MITM attacks.