Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

ابحث في الدعم

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Firefox 58.0.2 64bit is not using cert8.db for CA Certificates

  • 12 ردًا
  • 3 have this problem
  • 3 views
  • آخر ردّ كتبه cor-el

more options

I have installed Firefox 58.0.2 64bit on Windows 10 64bit creator's edition. Then I installed custom CA certificate using NSS CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil). But Firefox is not showing CA certificate in list under security settings and not using it. I confirmed using CertUtil that its present there in cert8.db.

I have installed Firefox 58.0.2 64bit on Windows 10 64bit creator's edition. Then I installed custom CA certificate using NSS CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil). But Firefox is not showing CA certificate in list under security settings and not using it. I confirmed using CertUtil that its present there in cert8.db.

Modified by ajitsinghh

الحل المُختار

You need the sql: prefix.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:
 sql: requests the newer database
 dbm: requests the legacy database

See also:

Read this answer in context 👍 3

All Replies (12)

more options

Are you sure it's the exact same file, i.e., in the same profile folder? Once a profile is created, that profile's cert8.db file is independent from any other cert8.db file on the system.

more options

I only have single default profile. There is only cert8.db file. Though there is another cert9.db file in same default profile.

NSS CertUtil is able to install certificate in Firefox 56 but its broken in Firefox 57 and 58.

Interestingly, if I install CA cert using CertUtil in Firefox 56 and then update Firefox to 57 or 58, its working fine. But the fresh installation of Firefox 58 are not able to use cert8.db for CA certs.

Firefox 58 doesn't have cert8.db when installed fresh. It only has cert9.db.

This is consistently reproducible and fairly easy.

Modified by ajitsinghh

more options

Hmm, these are paired:

  • cert8.db / key3.db
  • cert9.db / key4.db

My key3.db/key4.db/cert8.db all show a last modified time of 6:05 PM Pacific on Feb. 12th when I was answering questions on this forum. cert9.db has been updated more recently. By that time, I already had Firefox 58.0.2 for 4 days.

Was I experimenting with a preference in about:config (other than what I was posting about, which was network.captive-portal-service.enabled)? I can't see what else might have triggered a switch.

Anyway, you may need to modify both cert8.db and cert9.db if it's not predictable which one the user currently is using.

more options

Aha, I think at that time I enabled the Password Manager on the Options page -- I generally do not use it -- and that may have triggered an update from use of key3.db to key4.db. That probably affected both logins.json and cert8.db=>cert9.db. I suspect if I had not done that, my Firefox would still be using cert8.db.

I think that is a recent (Firefox 57 or 58) change. So depending on user settings, you may find a mix of cert8.db and cert9.db and need to handle both.

more options

I am using CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil) to install certificate. How do I handle it using this?

Also If I remove cert8.db and key3.db from profile, CertUtil fails to install certificate.

more options
more options

الحل المُختار

You need the sql: prefix.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:
 sql: requests the newer database
 dbm: requests the legacy database

See also:

more options

Thanks COR-EL. Exactly what I needed :-)

more options

Can you please write the command you using?

"What i need" is nice but not very helpful :-) Having same problem like you.

trying to import certificates with certutil and firefox Quantum versions.

thanks!

more options

To Install in sqlite3 (cert9) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "sql:<profile_path>"

To Install in default Berkeley (cert8) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "<profile_path>"

more options

Thank you... but my case i get certutil: NSS_Initialize failed: security library: bad database

May you having another certutil version like me i think...

I got the Files from: http://ftp.mozilla.org/pub/nspr/releases/v4.6/WINNT5.0_OPT.OBJ/ http://ftp.mozilla.org/pub/security/nss/releases/NSS_3_11_RTM/WINNT5.0_OPT.OBJ/

and copied the lib and bin from both together to one folder. Of course this are older versions, but the newest i found on web... may you using newer versions from different download locations?

However my command was certutil -A -n "Certficate Publisher" -i "MyCert.cer" -t CT,c,C -d "sql:C:\Users\MyUsername\AppData\Roaming\Mozilla\Firefox\Profiles\profileID.default"

it seems that "my" certutil.exe is not capable of parameter "sql" therefore i think it's a version conflict.

However much sad enugh that mozilla doesnt care about this. No useful informations there for their new "grand browser"

Modified by contoso

more options

You can check the current versions of these Libraries on the about:support page. NSS 3.11 is really to old (current = 3.35/36). You would normally compile NSS yourself to get the latest version if there are no binaries available for your platform.