Solved

NSS certutil "certificate/key database is in an old, unsupported format"

Posted on 2014-01-17
4
9,733 Views
Last Modified: 2014-02-25
Hi Experts,

I'm just trying to use the certutil utility to add a CA cert to my FireFox trusted root store with this command and I'm getting the error message in the subject of this question.

certutil -A -n TrustMe.cer -t "TCu"

The file TrustMe.cer is a valid CA cert, but even if I put an invalid filename in the command line like so, I get the same problem.
certutil -A -n BogusFileThatDoesNotExist.cer -t "TCu"

What's the correct way to do this?
Thank you!
Mike
0
Comment
Question by:thready
  • 2
  • 2
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39790305
cert8.db (used to be called cert7.db earlier, and there is also cert9.db latest) is the certificate store for Firefox. It stores the root certificates (and other certificates).

You can query this file to get the list of certificates that are part of Firefox. So maybe we can try to validate cert8.db using certutil query. For example,

1. Copy the cert8.db from your Firefox profile into some directory.
> Your Firefox profile is in ~/.mozilla/firefox/<randomstring>.<profilename> (and typically %APPDATA%\Mozilla\Firefox\Profiles, though you can change it too).
> You copied the file into ~/code/tmp (can be anywhere though)

2. Open a terminal window and cd to ~/code, and type certutil -L -d tmp

3. This will (rightfully) list all the certificates in the cert8.db that is in tmp directory. Note that you do query from the directory where the cert8.db file resides instead.


Next is the rest of the certutil command and one example can be simply printing the complete certificate chain of any one certificate. If you are querying for certificates with  "SomeCAName" (in exact), you can try

certutil -L -n "SomeCAName" -d tmp


If there is error, likely the certdb is corrupted or not latest. Probably good to recreate. Please see this Certuil with example of the various command options
https://developer.mozilla.org/en/docs/NSS/tools/NSS_Tools_certutil

actually I saw another link to the Certutil and mention of more options
https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

 --upgrade-merge
          Upgrade an old database and merge it into a new
          database. This is used to migrate legacy NSS databases
          (cert8.db and key3.db) into the newer SQLite databases
          (cert9.db and key4.db).
Also for info

  Creating New Security Databases

   Certificates, keys, and security modules related to managing
   certificates are stored in three related databases:
     * cert8.db or cert9.db
     * key3.db or key4.db
     * secmod.db or pkcs11.txt

   These databases must be created before certificates or keys can
   be generated.
certutil -N -d [sql:]directory

..Nonetheless, another mean to import CA cert is
http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Import_CA_Certificate
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39790323
0
 
LVL 1

Author Comment

by:thready
ID: 39790588
Thanks a lot breadtan, I'll be able to try your suggestions on Monday.  Have a good weekend.
0
 
LVL 1

Author Closing Comment

by:thready
ID: 39885744
Many thanks and sorry for the late reply!
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question