Click "System Roots" on the left, find the CA. Right click then "Get Info". Expand the "Trust" section at the top and select "Never Trust".

I have un-trusted the Chinese CNNIC two operating system versions ago (10.5), and it is still set to the same setting. This seems less fragile than deleting the cert to me.

Thanks! If I were IT support, how could I get this to happen on every Mac in the company?

I am also unable to delete it. Which is strange since there is an option to delete it.

If you cannot delete it, you can edit the trust settings to never trust it.

Keychain -> System Roots -> Search for DigiNotar -> Right click delete.

Assert it has been removed by navigating to https://www.diginotar.nl/

Is that what you really want to do?

What's to keep an OS upgrade from restoring the certificate?

A system or user-maintained blacklist seems like a more tenable solution. You don't want to delete the cert, you want to hang a scarlet letter on it. Oh, and not trust it for anything (or better, use it to blacklist any site that attempts to use it).

At least for me there's no such choice as delete in the System Roots keychain. The only thing I can do is to set it to "never trust" and still Chrome/Safari show it as trusted: http://imgur.com/NcUYf

Did you try that and it really removed the CA?

Or is it supposed to remove the trust only but keep the entry?

It removed the entry completely from the Keychain, I am on Lion for reference.

Sanity testing by loading the homepage over HTTPS results in a certificate warning on all browsers (Firefox redirected to HTTP).

Right-click delete is not an option on Snow Leopard, for some reason.

Firefox uses its own CA store, so you need to remove it there too (or wait for the 6.0.1 update).