Solved

NSS certutil "certificate/key database is in an old, unsupported format"

Posted on 2014-01-17
4
9,417 Views
Last Modified: 2014-02-25
Hi Experts,

I'm just trying to use the certutil utility to add a CA cert to my FireFox trusted root store with this command and I'm getting the error message in the subject of this question.

certutil -A -n TrustMe.cer -t "TCu"

The file TrustMe.cer is a valid CA cert, but even if I put an invalid filename in the command line like so, I get the same problem.
certutil -A -n BogusFileThatDoesNotExist.cer -t "TCu"

What's the correct way to do this?
Thank you!
Mike
0
Comment
Question by:thready
  • 2
  • 2
4 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39790305
cert8.db (used to be called cert7.db earlier, and there is also cert9.db latest) is the certificate store for Firefox. It stores the root certificates (and other certificates).

You can query this file to get the list of certificates that are part of Firefox. So maybe we can try to validate cert8.db using certutil query. For example,

1. Copy the cert8.db from your Firefox profile into some directory.
> Your Firefox profile is in ~/.mozilla/firefox/<randomstring>.<profilename> (and typically %APPDATA%\Mozilla\Firefox\Profiles, though you can change it too).
> You copied the file into ~/code/tmp (can be anywhere though)

2. Open a terminal window and cd to ~/code, and type certutil -L -d tmp

3. This will (rightfully) list all the certificates in the cert8.db that is in tmp directory. Note that you do query from the directory where the cert8.db file resides instead.


Next is the rest of the certutil command and one example can be simply printing the complete certificate chain of any one certificate. If you are querying for certificates with  "SomeCAName" (in exact), you can try

certutil -L -n "SomeCAName" -d tmp


If there is error, likely the certdb is corrupted or not latest. Probably good to recreate. Please see this Certuil with example of the various command options
https://developer.mozilla.org/en/docs/NSS/tools/NSS_Tools_certutil

actually I saw another link to the Certutil and mention of more options
https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

 --upgrade-merge
          Upgrade an old database and merge it into a new
          database. This is used to migrate legacy NSS databases
          (cert8.db and key3.db) into the newer SQLite databases
          (cert9.db and key4.db).
Also for info

  Creating New Security Databases

   Certificates, keys, and security modules related to managing
   certificates are stored in three related databases:
     * cert8.db or cert9.db
     * key3.db or key4.db
     * secmod.db or pkcs11.txt

   These databases must be created before certificates or keys can
   be generated.
certutil -N -d [sql:]directory

..Nonetheless, another mean to import CA cert is
http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Import_CA_Certificate
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39790323
0
 
LVL 1

Author Comment

by:thready
ID: 39790588
Thanks a lot breadtan, I'll be able to try your suggestions on Monday.  Have a good weekend.
0
 
LVL 1

Author Closing Comment

by:thready
ID: 39885744
Many thanks and sorry for the late reply!
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question