• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 12016
  • Last Modified:

NSS certutil "certificate/key database is in an old, unsupported format"

Hi Experts,

I'm just trying to use the certutil utility to add a CA cert to my FireFox trusted root store with this command and I'm getting the error message in the subject of this question.

certutil -A -n TrustMe.cer -t "TCu"

The file TrustMe.cer is a valid CA cert, but even if I put an invalid filename in the command line like so, I get the same problem.
certutil -A -n BogusFileThatDoesNotExist.cer -t "TCu"

What's the correct way to do this?
Thank you!
Mike
0
thready
Asked:
thready
  • 2
  • 2
2 Solutions
 
btanExec ConsultantCommented:
cert8.db (used to be called cert7.db earlier, and there is also cert9.db latest) is the certificate store for Firefox. It stores the root certificates (and other certificates).

You can query this file to get the list of certificates that are part of Firefox. So maybe we can try to validate cert8.db using certutil query. For example,

1. Copy the cert8.db from your Firefox profile into some directory.
> Your Firefox profile is in ~/.mozilla/firefox/<randomstring>.<profilename> (and typically %APPDATA%\Mozilla\Firefox\Profiles, though you can change it too).
> You copied the file into ~/code/tmp (can be anywhere though)

2. Open a terminal window and cd to ~/code, and type certutil -L -d tmp

3. This will (rightfully) list all the certificates in the cert8.db that is in tmp directory. Note that you do query from the directory where the cert8.db file resides instead.


Next is the rest of the certutil command and one example can be simply printing the complete certificate chain of any one certificate. If you are querying for certificates with  "SomeCAName" (in exact), you can try

certutil -L -n "SomeCAName" -d tmp


If there is error, likely the certdb is corrupted or not latest. Probably good to recreate. Please see this Certuil with example of the various command options
https://developer.mozilla.org/en/docs/NSS/tools/NSS_Tools_certutil

actually I saw another link to the Certutil and mention of more options
https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

 --upgrade-merge
          Upgrade an old database and merge it into a new
          database. This is used to migrate legacy NSS databases
          (cert8.db and key3.db) into the newer SQLite databases
          (cert9.db and key4.db).
Also for info

  Creating New Security Databases

   Certificates, keys, and security modules related to managing
   certificates are stored in three related databases:
     * cert8.db or cert9.db
     * key3.db or key4.db
     * secmod.db or pkcs11.txt

   These databases must be created before certificates or keys can
   be generated.
certutil -N -d [sql:]directory

..Nonetheless, another mean to import CA cert is
http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Import_CA_Certificate
0
 
btanExec ConsultantCommented:
0
 
threadyAuthor Commented:
Thanks a lot breadtan, I'll be able to try your suggestions on Monday.  Have a good weekend.
0
 
threadyAuthor Commented:
Many thanks and sorry for the late reply!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now