Join the Mozilla’s Test Days event from 9–15 Jan to test the new Firefox address bar on Firefox Beta 135 and get a chance to win Mozilla swag vouchers! 🎁

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Firefox 58.0.2 64bit is not using cert8.db for CA Certificates

  • 12 个回答
  • 3 人有此问题
  • 102 次查看
  • 最后回复者为 cor-el

more options

I have installed Firefox 58.0.2 64bit on Windows 10 64bit creator's edition. Then I installed custom CA certificate using NSS CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil). But Firefox is not showing CA certificate in list under security settings and not using it. I confirmed using CertUtil that its present there in cert8.db.

I have installed Firefox 58.0.2 64bit on Windows 10 64bit creator's edition. Then I installed custom CA certificate using NSS CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil). But Firefox is not showing CA certificate in list under security settings and not using it. I confirmed using CertUtil that its present there in cert8.db.

由ajitsinghh于修改

被采纳的解决方案

You need the sql: prefix.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:
 sql: requests the newer database
 dbm: requests the legacy database

See also:

定位到答案原位置 👍 3

所有回复 (12)

more options

Are you sure it's the exact same file, i.e., in the same profile folder? Once a profile is created, that profile's cert8.db file is independent from any other cert8.db file on the system.

more options

I only have single default profile. There is only cert8.db file. Though there is another cert9.db file in same default profile.

NSS CertUtil is able to install certificate in Firefox 56 but its broken in Firefox 57 and 58.

Interestingly, if I install CA cert using CertUtil in Firefox 56 and then update Firefox to 57 or 58, its working fine. But the fresh installation of Firefox 58 are not able to use cert8.db for CA certs.

Firefox 58 doesn't have cert8.db when installed fresh. It only has cert9.db.

This is consistently reproducible and fairly easy.

由ajitsinghh于修改

more options

Hmm, these are paired:

  • cert8.db / key3.db
  • cert9.db / key4.db

My key3.db/key4.db/cert8.db all show a last modified time of 6:05 PM Pacific on Feb. 12th when I was answering questions on this forum. cert9.db has been updated more recently. By that time, I already had Firefox 58.0.2 for 4 days.

Was I experimenting with a preference in about:config (other than what I was posting about, which was network.captive-portal-service.enabled)? I can't see what else might have triggered a switch.

Anyway, you may need to modify both cert8.db and cert9.db if it's not predictable which one the user currently is using.

more options

Aha, I think at that time I enabled the Password Manager on the Options page -- I generally do not use it -- and that may have triggered an update from use of key3.db to key4.db. That probably affected both logins.json and cert8.db=>cert9.db. I suspect if I had not done that, my Firefox would still be using cert8.db.

I think that is a recent (Firefox 57 or 58) change. So depending on user settings, you may find a mix of cert8.db and cert9.db and need to handle both.

more options

I am using CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil) to install certificate. How do I handle it using this?

Also If I remove cert8.db and key3.db from profile, CertUtil fails to install certificate.

more options
more options

选择的解决方案

You need the sql: prefix.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:
 sql: requests the newer database
 dbm: requests the legacy database

See also:

more options

Thanks COR-EL. Exactly what I needed :-)

more options

Can you please write the command you using?

"What i need" is nice but not very helpful :-) Having same problem like you.

trying to import certificates with certutil and firefox Quantum versions.

thanks!

more options

To Install in sqlite3 (cert9) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "sql:<profile_path>"

To Install in default Berkeley (cert8) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "<profile_path>"

more options

Thank you... but my case i get certutil: NSS_Initialize failed: security library: bad database

May you having another certutil version like me i think...

I got the Files from: http://ftp.mozilla.org/pub/nspr/releases/v4.6/WINNT5.0_OPT.OBJ/ http://ftp.mozilla.org/pub/security/nss/releases/NSS_3_11_RTM/WINNT5.0_OPT.OBJ/

and copied the lib and bin from both together to one folder. Of course this are older versions, but the newest i found on web... may you using newer versions from different download locations?

However my command was certutil -A -n "Certficate Publisher" -i "MyCert.cer" -t CT,c,C -d "sql:C:\Users\MyUsername\AppData\Roaming\Mozilla\Firefox\Profiles\profileID.default"

it seems that "my" certutil.exe is not capable of parameter "sql" therefore i think it's a version conflict.

However much sad enugh that mozilla doesnt care about this. No useful informations there for their new "grand browser"

由contoso于修改

more options

You can check the current versions of these Libraries on the about:support page. NSS 3.11 is really to old (current = 3.35/36). You would normally compile NSS yourself to get the latest version if there are no binaries available for your platform.