How to distrust a CA without any certificate errors

A “distrust” is when a certification authority (CA) that issues HTTPS certificates to websites is removed from a root store because it is no longer trusted to issue certificates. This means certificates issued by that CA will be treated as invalid, likely causing certificate error interstitials in any browser that distrusted the CA. Distrusts can happen for security reasons, compliance reasons, or simply due to a lack of trust in the operators. In the past, the complexity and user impact of distrust events have largely been dependent on the size and usage of a CA—the larger the CA, the longer and more complex the timeline was to distrust it if it misbehaved, and the more likely users were to encounter certificate errors. Nowadays, the situation is different. Most user agents require certificates to be logged to public certificate transparency (CT) logs. Since the introduction of CT, most distrusts are no longer due to key compromise and domain validation failures. Today, CAs are much ... Read full article.