diff --git a/Linux/nss_revoke.sh b/Linux/nss_revoke.sh
new file mode 100755
index 0000000000000000000000000000000000000000..1a7887c6bc99731c37996babce62e9cedaa0b4a3
--- /dev/null
+++ b/Linux/nss_revoke.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+DBPATH=$1
+CERTS=$2
+
+echo "Revoking CAs in $DBPATH/cert9.db"
+
+for CERT in $CERTS;do
+    # p,p,p: prohibit all use
+    certutil -d sql:${DBPATH} -A -n "${CERT}" -t p,p,p -i ${CERT}
+done
+
+echo "Done"
diff --git a/Linux/revoke-china-certs.sh b/Linux/revoke-china-certs.sh
new file mode 100755
index 0000000000000000000000000000000000000000..d5870007a0ee70b8a065cf48b3916bfb5d58ffad
--- /dev/null
+++ b/Linux/revoke-china-certs.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -e
+
+if [ ${1:-extended} = 'all' ];then
+    echo "Generating ALL CRL set"
+    # TODO: Explicitly distinguish between CA & EE certificates.
+    CA_CERTS=`ls ../Windows/Certs/Online/*.crt`
+    EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt`
+    echo "all"
+elif [ ${1:-extended} = 'extended' ];then
+    echo "Generating EXTENDED CRL set"
+    CA_CERTS=`ls ../Windows/Certs/Online/CNNIC_*.crt ../Windows/Certs/Online/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/Online/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/Online/GiantRootCA.crt ../Windows/Certs/Online/CFCA_*.crt  ../Windows/Certs/Online/UCA_*.crt  ../Windows/Certs/Online/[Suspicious]GoAgent_CA.crt`
+    EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt`
+elif [ ${1:-extended} = 'restore' ];then
+    echo "Generating RESTORE CRL set"
+    CA_CERTS=''
+    EE_CERTS=''
+else
+    echo "Generating Basic CRL set"
+    CA_CERTS=`ls ../Windows/Certs/Online/CNNIC_*.crt ../Windows/Certs/Online/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/Online/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/Online/GiantRootCA.crt`
+    EE_CERTS=`ls ../Windows/Certs/Online/\[Fake\]*.crt`
+fi
+
+CERTS=`echo $CA_CERTS $EE_CERTS`
+./nss_revoke.sh ${2:-~/.pki/nssdb} "${CERTS}"