Certutil: function failed: SEC_ERROR_LEGACY_DATABASE: certificate / key database is in old, unsupported format

Question

Certutil: function failed: SEC_ERROR_LEGACY_DATABASE: certificate / key database is in old, unsupported format

I downloaded a verified (not self-signed) S / MIME certificate from iceweasel (firefox), which was saved in cert8.db (which is the certificate store for firefox). Then I used:

certutil -L -d <path_to_folder_that_cert8.db_resides>

to list the certificates and then I extracted the .p12 file using the name of my certificate certutil gave me:

pk12util -o mycertfile.p12 -n "<name_found_from_certutil>" -d <path_to_folder_that_cert8.db_resides>

The problem is that I have lost access to the PC where the p12 was saved and now I only have a copy of cert8.db to another computer. Thus, I repeated the following process (certutil and pk12util commands), but certutil failed:

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

I tried desperately on three different computers, including one with an identical OS version and libnss3-tools (for example, the initial desktop where I successfully extracted p12):

$ uname -a 
Linux commander 3.16.0-4-amd64 #1 SMP Debian 3.16.7-2 (2014-11-06) x86_64 GNU/Linux

libnss3-tools version: 2: 3.17.2-1

Any thoughts?

thank

+3

certificate nss certificatestore certutil smime

chefarov Dec 27. 14 at 10:49

source to share

4 answers

For several years the database has been migrated from flat files to Berkeley DB, now to SQLite in 3.12. Prefix the directory name sql

and enclose it in quotes to get around spaces:

certutil -L -d sql:${HOME}/.pki/nssdb

For reference, here's the Mozilla NSS roadmap .

+8

rjt May 23 '16 at 21:37

source to share

This error also occurs if you are trying to query the certificate database in a location that you do not have access to and did not use sudo

.

+3

James 06 Sep 16 at 19:26

source to share

I needed to restore the entire .mozilla directory in order to run certutil successfully. The cert8.db file must be in the original directory.

+1

chefarov Dec 30. 15 at 8:39

source to share

karim · Accepted Answer · 2015-08-25T06:38:42+0000

The error message is rather cryptic. I got a similar error using certutil -L

to get the list of certificates in a file cert8.db

.

Now I am finding why the command is not working.

–L

cannot work with only cert8.db

in folder. It also depends on the other two files key3.db and secmod.db

. Therefore, in the folder where all the above 3 files are present, it -L

works only there. And so the parameter –d

takes the path to the folder. Not a file cert8.db

.

I tried certutil by copying cert8.db

from Firefox profile folder to temp directory.

I noticed this when certuitl -A succeeded but -L failed and the successful -A command created two other files in this temp folder.

Check also if the directory path has any space or not. With space, it gives the same error or "file format error - old database format" etc. Especially on Mac OS, the folder is located in the folder "Application Support"

that contains a space in the name. Therefore, it must fully specify the path:

"/Users/myuser/Library/Application Support/Firefox/Profiles/jii912uh.default"

or add the \ escape character.

 /Users/myuser/Library/Application\ Support/Firefox/Profiles/jii912uh.default

Certutil: function failed: SEC_ERROR_LEGACY_DATABASE: certificate / key database is in old, unsupported format

More articles: