when I'm using certutil it returns this error: certutil: function failed: security library: bad database.
e.g. I can't list certs or keys
How Can I fix this?
Asked
Active
Viewed 6.2k times
17
Eric Leschinski
- 4,031
- 4
- 20
- 27
Zim3r
- 1,384
- 5
- 23
- 45
6 Answers
33
If it is new system, your certificate database might not be initialized. To fix this, perform:
mkdir -p $HOME/.pki/nssdb
certutil -d $HOME/.pki/nssdb -N
Maciej Małycha
- 446
- 6
- 5
-
2If you don't want a password on the certificate database, add the `--empty-password` switch to the end of the `certutil` command. – Ben Johnson May 31 '18 at 15:32
-
I found that if I ran instead: `certutil -d sql:$HOME/.pki/nssdb -L` it would not result in that error. But if I just run `certutil -L` it would show that error. Does that mean the database is not corrupted, but there's some incompatibilty or does certutil expect the wrong directory? – CMCDragonkai Jan 15 '20 at 05:17
4
In case database already has been initialised, but still is corrupted then it has to be rebuild:
$ mv ~/.pki/nssdb ~/.pki/nssdb.corrupted
$ mkdir ~/.pki/nssdb
$ chmod 700 ~/.pki/nssdb
$ certutil -d sql:$HOME/.pki/nssdb -N
Check if working alright
$ certutil -d sql:$HOME/.pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Import certificate
$ certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n GoAgent -i ~/programs/goagent/local/CA.crt
Mattijn
- 141
- 2
-
Since last update of libGNUTLS on Debian my browsers (chrome and iceweasel) failed to open. On console I got `[5284:5310:0306/110217:ERROR:nss_util.cc(750)] After loading Root Certs, loaded==false: NSS error code: -8018` and no way to solve this gracefully. Rebuilding the DB solved it for me! Thank you very much :) – pid Mar 06 '14 at 11:18
-
I was able to rebuild the DB and list the certificates after that, but my import is still failing with the error: `certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.` My import command is `certutil -d sql:$HOME/.pki/nssb -A -t "CT,C,C" -n sophos -i ~/Downloads/sophos_cert.crt` This shouldn't have to be run as root, should it? – Gillfish Jul 29 '15 at 15:54
2
If you want to display certifications from a specific folder (for example, the folder which stores the cert8.db file for Firefox), you need to specify the folder with "-d":
nss-certutil -d /Users/myuser/Library/Application\ Support/Firefox/Profiles/jii912uh.default -L
Otherwise, nss-certutil may try to read *.db files from ~/.netscape folder, or maybe $HOME/.pki/nssdb as previous user mentioned.
vgoff
- 408
- 7
- 19
user151182
- 21
- 1
1
Also check the -d directory path (must point to the directory) have any space or not. With space it gives the same error or bad file format error - old database format etc. Specially in Mac the folder is in "Application Support" which contains space. So have the path fully quoted:
"/Users/myuser/Library/Application Support/Firefox/Profiles/jii912uh.default"
or add the \ escape character.
/Users/myuser/Library/Application\ Support/Firefox/Profiles/jii912uh.default
And check that the folder have the following files, cert8.db, key3.db and secmob.db.
karim
- 111
- 1
0
Quite an old question, but mentioned solutions did not work for me, because the error was caused by incorrect shell expansion.
In my case, I had to replace ~ with $HOME, e.g.
certutil -d sql:~/.pki/nssdb -A -t "C,," -n KEY_NAME -i ~/path_to_the_key/key.cert
became
certutil -d sql:$HOMR/.pki/nssdb -A -t "C,," -n KEY_NAME -i $HOME/path_to_the_key/key.cert
zergussino
- 101
- 1
0
In my case I solved problem using this solution (Windows XP, nss 3.15.1):
cd /dir/with/database
C:/full/path/to/certutil.exe -L -d .
Teemonek
- 1