In KeyChain you can manually distrust each certificate but for many certificates this means lots of clicking. The easiest would be to change the "System Defaults" trust level so it never trusts a certificate by default. Question is how to do that or where to find that? Alternatively an automated way to go through all certs and distrust them would be nice. Removing the root store is not possible. It seems it is fairly locked down. Or maybe someone knows where trust settings are saved? The root cert seems to stay untouched when changing trust settings.
Edit: Found it. Looks like Admin.plist (read-write) and SystemTrustSettings.plist (read-only) are responsible and entries in Admin.plist are probably fetched from SystemTrustSettings.plist. The trust level is saved as integer. 3 means distrust, the files have different sections. Changing the last integer seems to change the global option so that all certs are distrusted.
Edit: Found it. Looks like Admin.plist (read-write) and SystemTrustSettings.plist (read-only) are responsible and entries in Admin.plist are probably fetched from SystemTrustSettings.plist. The trust level is saved as integer. 3 means distrust, the files have different sections. Changing the last integer seems to change the global option so that all certs are distrusted.
Last edited: