Firefox 58.0.2 64bit is not using cert8.db for CA Certificates
I have installed Firefox 58.0.2 64bit on Windows 10 64bit creator's edition. Then I installed custom CA certificate using NSS CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil). But Firefox is not showing CA certificate in list under security settings and not using it. I confirmed using CertUtil that its present there in cert8.db.
Muudetud
Valitud lahendus
You need the sql: prefix.
certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). NSS recognizes the following prefixes: sql: requests the newer database dbm: requests the legacy database
See also:
- https://blogs.oracle.com/meena/whats-new-in-nss-312-new-shared-dbs
- https://wiki.mozilla.org/NSS_Shared_DB
All Replies (12)
Are you sure it's the exact same file, i.e., in the same profile folder? Once a profile is created, that profile's cert8.db file is independent from any other cert8.db file on the system.
I only have single default profile. There is only cert8.db file. Though there is another cert9.db file in same default profile.
NSS CertUtil is able to install certificate in Firefox 56 but its broken in Firefox 57 and 58.
Interestingly, if I install CA cert using CertUtil in Firefox 56 and then update Firefox to 57 or 58, its working fine. But the fresh installation of Firefox 58 are not able to use cert8.db for CA certs.
Firefox 58 doesn't have cert8.db when installed fresh. It only has cert9.db.
This is consistently reproducible and fairly easy.
Muudetud
Hmm, these are paired:
- cert8.db / key3.db
- cert9.db / key4.db
My key3.db/key4.db/cert8.db all show a last modified time of 6:05 PM Pacific on Feb. 12th when I was answering questions on this forum. cert9.db has been updated more recently. By that time, I already had Firefox 58.0.2 for 4 days.
Was I experimenting with a preference in about:config (other than what I was posting about, which was network.captive-portal-service.enabled)? I can't see what else might have triggered a switch.
Anyway, you may need to modify both cert8.db and cert9.db if it's not predictable which one the user currently is using.
Aha, I think at that time I enabled the Password Manager on the Options page -- I generally do not use it -- and that may have triggered an update from use of key3.db to key4.db. That probably affected both logins.json and cert8.db=>cert9.db. I suspect if I had not done that, my Firefox would still be using cert8.db.
I think that is a recent (Firefox 57 or 58) change. So depending on user settings, you may find a mix of cert8.db and cert9.db and need to handle both.
I am using CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil) to install certificate. How do I handle it using this?
Also If I remove cert8.db and key3.db from profile, CertUtil fails to install certificate.
Hi ajitsinghh, this could have something useful:
https://developer.mozilla.org/docs/Mozilla/Projects/NSS/Reference/NSS_tools_:_certutil
Valitud lahendus
You need the sql: prefix.
certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt). NSS recognizes the following prefixes: sql: requests the newer database dbm: requests the legacy database
See also:
Thanks COR-EL. Exactly what I needed :-)
Can you please write the command you using?
"What i need" is nice but not very helpful :-) Having same problem like you.
trying to import certificates with certutil and firefox Quantum versions.
thanks!
To Install in sqlite3 (cert9) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "sql:<profile_path>"
To Install in default Berkeley (cert8) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "<profile_path>"
Thank you... but my case i get certutil: NSS_Initialize failed: security library: bad database
May you having another certutil version like me i think...
I got the Files from: http://ftp.mozilla.org/pub/nspr/releases/v4.6/WINNT5.0_OPT.OBJ/ http://ftp.mozilla.org/pub/security/nss/releases/NSS_3_11_RTM/WINNT5.0_OPT.OBJ/
and copied the lib and bin from both together to one folder. Of course this are older versions, but the newest i found on web... may you using newer versions from different download locations?
However my command was certutil -A -n "Certficate Publisher" -i "MyCert.cer" -t CT,c,C -d "sql:C:\Users\MyUsername\AppData\Roaming\Mozilla\Firefox\Profiles\profileID.default"
it seems that "my" certutil.exe is not capable of parameter "sql" therefore i think it's a version conflict.
However much sad enugh that mozilla doesnt care about this. No useful informations there for their new "grand browser"
Muudetud
You can check the current versions of these Libraries on the about:support page. NSS 3.11 is really to old (current = 3.35/36). You would normally compile NSS yourself to get the latest version if there are no binaries available for your platform.