certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format

Question

I had downloaded a verified (not self-signed) S/MIME certificate with iceweasel (firefox) which was stored in cert8.db

Then I used:

certutil -L -d <path_to_folder_that_cert8.db_resides>

in order to list the certificates, and then I extracted the .p12 file using the name of my certificate that certutil gave me:

pk12util -o mycertfile.p12 -n "<name_found_from_certutil>" -d <path_to_folder_that_cert8.db_resides>

The problem is that I lost the access to the PC that the p12 was stored and now I have only a cert8.db copy to another PC. Thus I repeated the certutil && pk12util commands, but certutil fails with:

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

I have desperately tried at 3 different computers, including one with identical kernel and libnss3-tools version, (like the initial desktop where I extracted the p12 successfully) which is:

$ uname -a 
Linux commander 3.16.0-4-amd64 #1 SMP Debian 3.16.7-2 (2014-11-06) x86_64 GNU/Linux 

libnss3-tools version: 2:3.17.2-1

Any thoughts?

Thanks

Answer 1

Oddly and confusingly, this error is also what you get if you're trying to query a certificate database in a location you don't have access to and you didn't use sudo.

Answer 2

The database has migrated over the years from flat files to Berkeley DB to now SQLite in 3.12. Prefix the directory name with sql and enclose in quotes to get around spaces:

certutil -L -d sql:${HOME}/.pki/nssdb 

For reference, here's the Mozilla NSS roadmap.

Answer 3

The error message is quite cryptic. I got similar error while using certutil -L to get the list of certificate in a cert8.db file.

Now I find why the command did not work.

The –L cannot work only with a cert8.db in a folder. It is also dependent on two other files, key3.db and secmod.db. So in a folder where all the above 3 files are present, -L works only there. And that’s why –d parameter takes a folder path. Not the cert8.db file.

I tried certutil by copying cert8.db from the Firefox profile folder to a temp directory.

I noticed it when certuitl -A succeeded but -L failed and the successful -A command created two other files in that temp folder.

Check also if the directory path have any space or not. With space, it gives the same error or 'bad file format error - old database format' etc. Specially in the Mac OS, the folder is in "Application Support" folder which contains space in the name. So it needs the path fully quoted:

"/Users/myuser/Library/Application Support/Firefox/Profiles/jii912uh.default"

or add the \ escape character.

 /Users/myuser/Library/Application\ Support/Firefox/Profiles/jii912uh.default

Answer 4

I needed to restore the whole .mozilla directory in order to run the certutil successfully. The file cert8.db needs to be in the original directory.