I took a look at this and the problem and as far as I can see we're looking at two (mostly independent issues): - Built-in (root) certificates can not be deleted, they will be distrusted instead. However, this is not clear at all from the management UI, which will simply [always remove elements, no matter if they were actually distrusted](https://searchfox.org/mozilla-central/rev/be7d1f2d52dd9474ca2df145190a817614c924e4/security/manager/ssl/nsCertTree.cpp#701). The easiest solution is probably to guard that line on `certType == nsIX509Cert::USER_CERT`. - For user certificates, those can be deleted, but it takes some time to happen, because on user action they are only "marked for deletion" and will be [finally deleted in their destructor](https://searchfox.org/mozilla-central/rev/be7d1f2d52dd9474ca2df145190a817614c924e4/security/manager/ssl/nsNSSCertificate.cpp#130). Unfortunately we seem to be holding it a little longer than we should, which delays CC by a while, AFAICT. Ideally we could avoid cleaning up the cert in the destructor only instead of trying to hack our way towards getting it collected earlier. Dana, do you have any thoughts on that? I'm happy to take the bug, assuming we find a reasonable solution for the latter issue.
Bug 1596401 Comment 9 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I took a look at this and the problem and as far as I can see we're looking at two (mostly independent) issues: - Built-in (root) certificates can not be deleted, they will be distrusted instead. However, this is not clear at all from the management UI, which will simply [always remove elements, no matter if they were actually distrusted](https://searchfox.org/mozilla-central/rev/be7d1f2d52dd9474ca2df145190a817614c924e4/security/manager/ssl/nsCertTree.cpp#701). The easiest solution is probably to guard that line on `certType == nsIX509Cert::USER_CERT`. - For user certificates, those can be deleted, but it takes some time to happen, because on user action they are only "marked for deletion" and will be [finally deleted in their destructor](https://searchfox.org/mozilla-central/rev/be7d1f2d52dd9474ca2df145190a817614c924e4/security/manager/ssl/nsNSSCertificate.cpp#130). Unfortunately we seem to be holding it a little longer than we should, which delays CC by a while, AFAICT. Ideally we could avoid cleaning up the cert in the destructor only instead of trying to hack our way towards getting it collected earlier. Dana, do you have any thoughts on that? I'm happy to take the bug, assuming we find a reasonable solution for the latter issue.