Solved

NSS certutil "certificate/key database is in an old, unsupported format"

Posted on 2014-01-17
4
9,073 Views
Last Modified: 2014-02-25
Hi Experts,

I'm just trying to use the certutil utility to add a CA cert to my FireFox trusted root store with this command and I'm getting the error message in the subject of this question.

certutil -A -n TrustMe.cer -t "TCu"

The file TrustMe.cer is a valid CA cert, but even if I put an invalid filename in the command line like so, I get the same problem.
certutil -A -n BogusFileThatDoesNotExist.cer -t "TCu"

What's the correct way to do this?
Thank you!
Mike
0
Comment
Question by:thready
  • 2
  • 2
4 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39790305
cert8.db (used to be called cert7.db earlier, and there is also cert9.db latest) is the certificate store for Firefox. It stores the root certificates (and other certificates).

You can query this file to get the list of certificates that are part of Firefox. So maybe we can try to validate cert8.db using certutil query. For example,

1. Copy the cert8.db from your Firefox profile into some directory.
> Your Firefox profile is in ~/.mozilla/firefox/<randomstring>.<profilename> (and typically %APPDATA%\Mozilla\Firefox\Profiles, though you can change it too).
> You copied the file into ~/code/tmp (can be anywhere though)

2. Open a terminal window and cd to ~/code, and type certutil -L -d tmp

3. This will (rightfully) list all the certificates in the cert8.db that is in tmp directory. Note that you do query from the directory where the cert8.db file resides instead.


Next is the rest of the certutil command and one example can be simply printing the complete certificate chain of any one certificate. If you are querying for certificates with  "SomeCAName" (in exact), you can try

certutil -L -n "SomeCAName" -d tmp


If there is error, likely the certdb is corrupted or not latest. Probably good to recreate. Please see this Certuil with example of the various command options
https://developer.mozilla.org/en/docs/NSS/tools/NSS_Tools_certutil

actually I saw another link to the Certutil and mention of more options
https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

 --upgrade-merge
          Upgrade an old database and merge it into a new
          database. This is used to migrate legacy NSS databases
          (cert8.db and key3.db) into the newer SQLite databases
          (cert9.db and key4.db).
Also for info

  Creating New Security Databases

   Certificates, keys, and security modules related to managing
   certificates are stored in three related databases:
     * cert8.db or cert9.db
     * key3.db or key4.db
     * secmod.db or pkcs11.txt

   These databases must be created before certificates or keys can
   be generated.
certutil -N -d [sql:]directory

..Nonetheless, another mean to import CA cert is
http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Import_CA_Certificate
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39790323
0
 
LVL 1

Author Comment

by:thready
ID: 39790588
Thanks a lot breadtan, I'll be able to try your suggestions on Monday.  Have a good weekend.
0
 
LVL 1

Author Closing Comment

by:thready
ID: 39885744
Many thanks and sorry for the late reply!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now