certutil and cert8.db in Firefox

Using certutil to print cert8.db

This is a small post to explain how to use certutil and cert8.db. This is especially useful if you run into the error certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

  1. What is the cert8.db?
    1. cert8.db is the certificate store for Firefox. It used to be called cert7.db earlier, but the latest versions of Firefox store the root certificates (and other certificates) in this file
  2. Why does this matter?
    1. This file is similar to the keystore on the Windows machine which stores the SSL certificates for the Windows machine. As Firefox is cross-platform it stores the certificates in its own file (much like Java does with jks)
  3. Why do I care about the cert8.db?
    1. You can query this file to get the list of certificates that are part of Firefox
  4. How do I install this?
    1. On Ubuntu machines, you can do this sudo apt-get install libnss3-tools
    2. On Windows machines, you can download the certutil.exe from here
    3. For Windows, you can also check this SUMO link
  5. So, how do I query the cert8.db?
    1. Copy the cert8.db from your Firefox profile into some directory. Your Firefox profile is in ~/.mozilla/firefox/<randomstring>.<profilename> (and typically %APPDATA%\Mozilla\Firefox\Profiles, though you can change it too). Say you copied the file into ~/code/tmp
    2. Then you open a terminal window and cd to ~/code
    3. Now type certutil -L -d tmp
    4. This will list all the certificates in the cert8.db that is in tmp directory
  6. So, as you noted, you don’t query the cert8.db file itself, rather the directory that the cert8.db file is in
  7. The above command will list all the root certificates within the cert8.db
  8. If you want to print the complete certificate chain of any one certificate, say DigiCert High Assurance EV CA-1
    1. certutil -L -n "DigiCert High Assurance EV CA-1" -d tmp

Hope this is useful for you to check the usage of certutil