Solved

NSS certutil "certificate/key database is in an old, unsupported format"

Posted on 2014-01-17
4
8,604 Views
Last Modified: 2014-02-25
Hi Experts,

I'm just trying to use the certutil utility to add a CA cert to my FireFox trusted root store with this command and I'm getting the error message in the subject of this question.

certutil -A -n TrustMe.cer -t "TCu"

The file TrustMe.cer is a valid CA cert, but even if I put an invalid filename in the command line like so, I get the same problem.
certutil -A -n BogusFileThatDoesNotExist.cer -t "TCu"

What's the correct way to do this?
Thank you!
Mike
0
Comment
Question by:thready
  • 2
  • 2
4 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39790305
cert8.db (used to be called cert7.db earlier, and there is also cert9.db latest) is the certificate store for Firefox. It stores the root certificates (and other certificates).

You can query this file to get the list of certificates that are part of Firefox. So maybe we can try to validate cert8.db using certutil query. For example,

1. Copy the cert8.db from your Firefox profile into some directory.
> Your Firefox profile is in ~/.mozilla/firefox/<randomstring>.<profilename> (and typically %APPDATA%\Mozilla\Firefox\Profiles, though you can change it too).
> You copied the file into ~/code/tmp (can be anywhere though)

2. Open a terminal window and cd to ~/code, and type certutil -L -d tmp

3. This will (rightfully) list all the certificates in the cert8.db that is in tmp directory. Note that you do query from the directory where the cert8.db file resides instead.


Next is the rest of the certutil command and one example can be simply printing the complete certificate chain of any one certificate. If you are querying for certificates with  "SomeCAName" (in exact), you can try

certutil -L -n "SomeCAName" -d tmp


If there is error, likely the certdb is corrupted or not latest. Probably good to recreate. Please see this Certuil with example of the various command options
https://developer.mozilla.org/en/docs/NSS/tools/NSS_Tools_certutil

actually I saw another link to the Certutil and mention of more options
https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

 --upgrade-merge
          Upgrade an old database and merge it into a new
          database. This is used to migrate legacy NSS databases
          (cert8.db and key3.db) into the newer SQLite databases
          (cert9.db and key4.db).
Also for info

  Creating New Security Databases

   Certificates, keys, and security modules related to managing
   certificates are stored in three related databases:
     * cert8.db or cert9.db
     * key3.db or key4.db
     * secmod.db or pkcs11.txt

   These databases must be created before certificates or keys can
   be generated.
certutil -N -d [sql:]directory

..Nonetheless, another mean to import CA cert is
http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Import_CA_Certificate
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39790323
0
 
LVL 1

Author Comment

by:thready
ID: 39790588
Thanks a lot breadtan, I'll be able to try your suggestions on Monday.  Have a good weekend.
0
 
LVL 1

Author Closing Comment

by:thready
ID: 39885744
Many thanks and sorry for the late reply!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now