Debian, Ubuntu, and derived systems can flag CNNIC )if they've installed the 'ca-certificates' package) as untrusted themselves using /etc/ca-certificate.conf:

https://www.reddit.com/r/debian/comments/3167je/blacklisting...