為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Firefox 58.0.2 64bit is not using cert8.db for CA Certificates

  • 12 回覆
  • 3 有這個問題
  • 102 次檢視
  • 最近回覆由 cor-el

more options

I have installed Firefox 58.0.2 64bit on Windows 10 64bit creator's edition. Then I installed custom CA certificate using NSS CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil). But Firefox is not showing CA certificate in list under security settings and not using it. I confirmed using CertUtil that its present there in cert8.db.

I have installed Firefox 58.0.2 64bit on Windows 10 64bit creator's edition. Then I installed custom CA certificate using NSS CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil). But Firefox is not showing CA certificate in list under security settings and not using it. I confirmed using CertUtil that its present there in cert8.db.

由 ajitsinghh 於 修改

被選擇的解決方法

You need the sql: prefix.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:
 sql: requests the newer database
 dbm: requests the legacy database

See also:

從原來的回覆中察看解決方案 👍 3

所有回覆 (12)

more options

Are you sure it's the exact same file, i.e., in the same profile folder? Once a profile is created, that profile's cert8.db file is independent from any other cert8.db file on the system.

more options

I only have single default profile. There is only cert8.db file. Though there is another cert9.db file in same default profile.

NSS CertUtil is able to install certificate in Firefox 56 but its broken in Firefox 57 and 58.

Interestingly, if I install CA cert using CertUtil in Firefox 56 and then update Firefox to 57 or 58, its working fine. But the fresh installation of Firefox 58 are not able to use cert8.db for CA certs.

Firefox 58 doesn't have cert8.db when installed fresh. It only has cert9.db.

This is consistently reproducible and fairly easy.

由 ajitsinghh 於 修改

more options

Hmm, these are paired:

  • cert8.db / key3.db
  • cert9.db / key4.db

My key3.db/key4.db/cert8.db all show a last modified time of 6:05 PM Pacific on Feb. 12th when I was answering questions on this forum. cert9.db has been updated more recently. By that time, I already had Firefox 58.0.2 for 4 days.

Was I experimenting with a preference in about:config (other than what I was posting about, which was network.captive-portal-service.enabled)? I can't see what else might have triggered a switch.

Anyway, you may need to modify both cert8.db and cert9.db if it's not predictable which one the user currently is using.

more options

Aha, I think at that time I enabled the Password Manager on the Options page -- I generally do not use it -- and that may have triggered an update from use of key3.db to key4.db. That probably affected both logins.json and cert8.db=>cert9.db. I suspect if I had not done that, my Firefox would still be using cert8.db.

I think that is a recent (Firefox 57 or 58) change. So depending on user settings, you may find a mix of cert8.db and cert9.db and need to handle both.

more options

I am using CertUtil (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil) to install certificate. How do I handle it using this?

Also If I remove cert8.db and key3.db from profile, CertUtil fails to install certificate.

more options
more options

選擇的解決方法

You need the sql: prefix.

certutil supports two types of databases: the legacy security databases (cert8.db, key3.db, and secmod.db) and new SQLite databases (cert9.db, key4.db, and pkcs11.txt).

NSS recognizes the following prefixes:
 sql: requests the newer database
 dbm: requests the legacy database

See also:

more options

Thanks COR-EL. Exactly what I needed :-)

more options

Can you please write the command you using?

"What i need" is nice but not very helpful :-) Having same problem like you.

trying to import certificates with certutil and firefox Quantum versions.

thanks!

more options

To Install in sqlite3 (cert9) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "sql:<profile_path>"

To Install in default Berkeley (cert8) DB: certutil.exe -A -t "<trust_type>" -i "<cert_file>" -d "<profile_path>"

more options

Thank you... but my case i get certutil: NSS_Initialize failed: security library: bad database

May you having another certutil version like me i think...

I got the Files from: http://ftp.mozilla.org/pub/nspr/releases/v4.6/WINNT5.0_OPT.OBJ/ http://ftp.mozilla.org/pub/security/nss/releases/NSS_3_11_RTM/WINNT5.0_OPT.OBJ/

and copied the lib and bin from both together to one folder. Of course this are older versions, but the newest i found on web... may you using newer versions from different download locations?

However my command was certutil -A -n "Certficate Publisher" -i "MyCert.cer" -t CT,c,C -d "sql:C:\Users\MyUsername\AppData\Roaming\Mozilla\Firefox\Profiles\profileID.default"

it seems that "my" certutil.exe is not capable of parameter "sql" therefore i think it's a version conflict.

However much sad enugh that mozilla doesnt care about this. No useful informations there for their new "grand browser"

由 contoso 於 修改

more options

You can check the current versions of these Libraries on the about:support page. NSS 3.11 is really to old (current = 3.35/36). You would normally compile NSS yourself to get the latest version if there are no binaries available for your platform.