Unable to blacklist Certificate Authority (CA) on openSUSE

After doing some research on how to disable CAs on opensuse (installed from the OS package), I did the following:

1. sudo ln -s /etc/ssl/certs/UCA_Global_G2_Root.pem /etc/pki/trust/blacklist/
2. sudo update-ca-certificates or sudo update-ca-certificates --fresh

To verify if the certificates I’ve symlinked them into the blacklist directory were really blocked I did:
trust list --filter=ca-anchors | grep -A 5 "UCA".
I expected to see the line :“trust: blacked” but I got “trust: anchor” under it.

The man page of update-ca-certificates also says:

To blacklist certificates symlinks to the respective certificates can be placed in /etc/pki/trust/blacklist

I wonder if the method I used to verify the blacklisted state of a certificate was not correct.

Disclaimer: the .pem CA used above is only used as an example and nothing is implied as it being untrustworthy.

Apparently p11-kit switched to using blocklist instead of blacklist almost exactly 5 years ago. Use /etc/pki/trust/blocklist.

The /etc/ssl/certs link is itself managed by the update-ca-certficates. I would avoid this recursive linking.

You may consider opening bug report against ca-certificates. It should be fixed to manage switch from blacklist to blocklist and of course manual needs updating as well.

Many thanks.

After doing this

sudo ln -s /etc/ssl/certs/[somecert].pem /etc/pki/trust/blocklist/
sudo update-ca-certificates

I confirmed the result with:
trust list --filter=blocklist

And honestly I do not understand enough the problem behind it to open a bug report.