How to Remove Root Certificates from Apple, Android, Microsoft, Mozilla?

How to Remove Root Certificates on iOS and iPadOS (iPhone / iPad)

Unlike macOS, iOS and iPadOS don’t give users full access to the system’s built-in root certificate store. This is by design—to keep the platform secure and prevent accidental damage to SSL/TLS certificate trust. However, you can remove user-installed certificates, such as those added via configuration profiles or mobile device management (MDM) tools.

What You Can and Can’t Remove on iOS/iPadOS

• ✅ You can remove: Certificates that were installed manually or through profiles (e.g., for a corporate VPN, custom CA, or testing purposes).

• ❌ You cannot remove: Built-in system root certificates trusted by Apple. These are baked into iOS and unremovable without jailbreaking.

Steps to Remove User-Installed Certificates on iOS/iPadOS

1. Open Settings

   • Tap the Settings app on your iPhone or iPad.

2. Go to Profile & Device Management

   • Navigate to General > Profiles & Device Management.
     (If you don’t see this option, your device has no installed profiles.)

3. Locate the Profile Containing the Certificate

   • Tap on the profile that includes the certificate you want to remove.

   • If multiple certificates are installed, they’ll be visible under profile details.

4. Remove the Certificate

   • Tap Remove Profile.

   • Enter your device passcode to confirm.

   • This will remove the certificate along with any settings it included (like VPN or Wi-Fi configurations).

5. Restart Your Device

   • Restarting helps ensure the removal fully takes effect across apps and system processes.

Notes for iOS/iPadOS Users

• Certificates installed as part of a Wi-Fi configuration, VPN setup, or enterprise profile will be removed once the entire profile is deleted.

• If you see SSL or trust warnings after certificate removal, reinstall the profile or consult with the profile provider.

• If you want to block a system certificate (but can’t remove it), the only workaround is using a filtered network like a VPN or DNS service.

How to Remove Root Certificates on Android

Android devices store certificates in two primary locations: system certificates pre-installed by the manufacturer and user certificates installed manually or via apps. The process to remove or disable certificates varies slightly between Android versions and device manufacturers (Samsung, Google Pixel, etc.), but the core steps are similar.

What You Can and Can’t Remove on Android

• ✅ You can remove or disable user-installed certificates (e.g., corporate CAs, VPN adding a certificate)

• ❌ You usually cannot remove system/root certificates unless the device is rooted. You can only disable them on some devices.

Steps to Remove or Disable Certificates on Android

1. Open Device Settings

   • Launch the Settings app.

2. Go to Security Settings

   • Navigate to Security > Encryption & credentials (on some devices: Biometrics and Security > Other Security Settings).

3. View Trusted Certificates

   • Tap Trusted credentials.

   • You’ll see two tabs: System (built-in certificates) and User (added certificates).

4. Remove a User Certificate

   • Switch to the User tab.

   • Tap the certificate you want to remove.

   • Choose Remove or Forget (depending on the Android version).

5. Disable a System Certificate (If Allowed)

   • In the System tab, select the certificate.

   • Tap Disable (if the option exists).

   • Note: This option is not available on all devices or Android versions.

6. Restart and Test

   • Exit settings and restart your device to apply changes.

   • Test browser access or apps that rely on SSL/TLS to check for issues.

Important Reminders for Android Users

• System-level root certificates are often required for apps and browsers to work properly. Disabling the wrong one may cause apps, websites, or email clients to break.

• If you don’t see the option to disable a system certificate, it’s most likely protected by the OS or manufacturer settings.

• On rooted devices, power users can access the /system/etc/security/cacerts/ directory to remove system certificates manually—but this is not recommended unless you fully understand the risks.

How to Remove Root Certificates in Mozilla Firefox

Unlike most browsers, Mozilla Firefox manages its own certificate store, independent from your operating system. That means removing or distrusting a root certificate in Firefox only affects connections made in that browser — not in Chrome, Edge, or system apps.

This makes Firefox one of the best platforms for users who want fine-grained control over which root CAs are trusted, without breaking SSL validation system-wide.

Steps to Remove or Distrust a Root Certificate in Firefox

1. Open Firefox Preferences

   • Launch Firefox and click the Menu (☰) icon in the upper-right corner.

   • Select Settings (or Preferences on macOS).

2. Go to the Certificates Section

   • Scroll down and click Privacy & Security in the left menu.

   • Scroll to the Certificates section.

   • Click View Certificates.

3. Open the Authorities Tab

   • In the Certificate Manager window, select the Authorities tab.

   • This tab displays all trusted Certificate Authorities, including root and intermediate certificates.

4. Find the Certificate to Remove or Distrust

   • Scroll through the list or use the Search box to locate the certificate by name.

   • Select the certificate, then click Delete or Distrust….

5. Choose to Delete or Distrust

   • Delete removes the certificate entirely from Firefox’s trust store.

   • Distrust keeps it present but prevents Firefox from trusting it.
     Choose based on whether you may need to re-enable it in the future.

6. Confirm and Restart

   • Click OK to apply changes.

   • Restart Firefox to ensure the change takes effect.

Tips for Firefox Users

• Since Firefox uses its own store, removing a root certificate here won’t affect system apps or other browsers.

• If you remove a certificate and encounter security warnings on websites you trust, you may need to re-import or restore it through Firefox settings.

• Power users can also manage certificates in Firefox using the built-in policy settings or enterprise deployment options.

Safety Checklist and Rollback Tips

Before you start removing or distrusting root certificates, it’s essential to have a solid backup and recovery plan. Making changes to your device or browser’s certificate trust store can cause critical apps, websites, or services to stop working — especially if you’re unsure which certificate is safe to remove.

Below is a safety checklist to help you avoid common pitfalls and ensure you can restore trust settings if needed.

Before You Remove a Certificate

• Identify the Certificate Clearly
  Check its issuer, expiration date, serial number, and thumbprint. Use these details to avoid confusing it with a similar one.

• Research Why You’re Removing It
  Is it a compromised CA? A corporate certificate you no longer use? A suspicious or unknown third-party? Know your justification.

• Back Up Your Certificate Store (If Possible)

  • On Windows: Export certificates from MMC before deletion.

  • On Firefox: Export certificates in PEM format from the Certificate Manager.

  • On macOS: Use Keychain Access to export certificate files.

• Take Screenshots
  If you can’t export, screenshots are the next best thing for tracking changes.

• Notify Affected Users (Admins Only)
  If you’re in an IT/admin role, make sure your team or company is aware that you’re making changes to the root store.

If Something Goes Wrong (Rollback Tips)

• Restore an Exported Certificate

  • In Windows: Use MMC > Certificates > Import to re-add root certs.

  • In macOS: Drag and drop the .cer or .pem file back into Keychain Access.

  • In Firefox: Go to Certificate Manager > Authorities > Import.

• Reset Browser or System Settings

  • Firefox: Go to Help > More Troubleshooting Information > Refresh Firefox.

  • Windows: Use System Restore if the issue is widespread.

• Check Website and App Issues

  • Try connecting to affected websites using different browsers or devices to confirm whether the certificate change is the cause.

• Seek Professional Help

  • If you’ve removed a critical root CA and can’t restore normal functionality, consult your organization’s security admin or a cybersecurity expert.

Best Practice Reminder

Never delete or distrust a certificate unless you’re confident it won’t break essential services. When in doubt, disabling (instead of deleting) is often safer for troubleshooting purposes. And always test critical services (email, VPN, banking, corporate sites) after making changes.

Summary

Managing root certificates is a powerful way to take control of your device or browser’s trust system—whether you’re securing a personal device, protecting corporate environments, or safeguarding against malicious CAs. But with that power comes the responsibility to make careful, informed changes.

You’ve learned the step-by-step methods for removing or distrusting root certificates across popular platforms like Windows, macOS, iOS, Android, and Firefox. You now know what’s possible, what’s risky, and how to safely reverse changes if needed.

Below is a quick reference table comparing the certificate removal options across platforms:

By understanding how certificate stores work and tailoring your actions based on device and use case, you can enhance your control over online trust. Whether you’re a concerned end-user or a system administrator, always back up, test thoroughly, and document your changes.

Frequently Asked Questions (FAQ)

Q: What is a root certificate, and why is it important?
A root certificate is the topmost certificate in a chain of trust used in SSL/TLS communications. It verifies that websites, apps, and other online services are secure. If a root certificate is compromised or malicious, your device may trust insecure connections.

Q: Is it safe to remove a root certificate?
Only if you know what you’re doing. Removing trusted certificates can break website access, app functionality, or VPN connections. Always back up your certificate or system settings before removal.

Q: Why can’t I delete some certificates on macOS or iOS?
System root certificates provided by Apple are protected and cannot be fully deleted. On macOS, you can only mark them as “Never Trust,” and on iOS, they can’t be removed at all unless they’re part of a user-installed profile.

Q: Does removing a certificate in Firefox affect Chrome, Edge, or my system apps?
No. Firefox maintains its own certificate store. So any removal or distrust actions only affect Firefox. Other browsers rely on your operating system’s certificate store instead.

Q: How can I tell if a certificate was installed by my employer or an app?
On iOS and Android devices, corporate or app-installed certificates are usually part of a configuration profile. If you see “Profiles” or “User Certificates,” those are most likely not part of the default system store.

Q: Can I restore a root certificate after deletion?
Yes. If you exported it before removal, you can re-import it. Otherwise, you might need to reinstall system trust settings, refresh the browser, or restore the system from a backup or restore point.