This is a small post to explain how to use certutil and cert8.db. This is especially useful if you run into the error
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
- What is the cert8.db?
- cert8.db is the certificate store for Firefox. It used to be called cert7.db earlier, but the latest versions of Firefox store the root certificates (and other certificates) in this file
- Why does this matter?
- This file is similar to the keystore on the Windows machine which stores the SSL certificates for the Windows machine. As Firefox is cross-platform it stores the certificates in its own file (much like Java does with jks)
- Why do I care about the cert8.db?
- You can query this file to get the list of certificates that are part of Firefox
- How do I install this?
- On Ubuntu machines, you can do this
sudo apt-get install libnss3-tools
- On Windows machines, you can download the certutil.exe from here
- For Windows, you can also check this SUMO link
- So, how do I query the cert8.db?
- Copy the cert8.db from your Firefox profile into some directory. Your Firefox profile is in ~/.mozilla/firefox/<randomstring>.<profilename> (and typically %APPDATA%\Mozilla\Firefox\Profiles, though you can change it too). Say you copied the file into ~/code/tmp
- Then you open a terminal window and cd to ~/code
- Now type
certutil -L -d tmp
- This will list all the certificates in the cert8.db that is in tmp directory
- So, as you noted, you don’t query the cert8.db file itself, rather the directory that the cert8.db file is in
- The above command will list all the root certificates within the cert8.db
- If you want to print the complete certificate chain of any one certificate, say DigiCert High Assurance EV CA-1
certutil -L -n "DigiCert High Assurance EV CA-1" -d tmp
Hope this is useful for you to check the usage of certutil