PKI Tutorials - Herong's Tutorial Examples

∟Linux Certificate Stores and Tools

∟"certutil" for NSS Certificate Databases on Linux

This section describes how to use the 'certutil' Command to manage NSS certificate databases on Linux computers.

What is NSS certificate databases? - NSS (Network Security Services) certificate databases are used by applications like Firefox and Chrome to store cryptographic keys and certificates.

There are 3 major versions of NSS databases:

• cert7.db, key2.db - Legacy version used by Netscape Communicator and early versions of Firefox.
• cert8.db, key3.db - DBM version used by older versions of Firefox and Chrome
• cert9.db, key4.db - SQLite version used by latest versions of Firefox and Chrome.

NSS database files are located at different places on different Linux systems. For example:

# on Ubuntu 
herong$ ls -l ~/.mozilla/firefox/l3fqh1es.default/*.db 
-rw------- 1 herong herong  65536 Sep 18  2019 cert8.db
-rw------- 1 herong herong 360448 Dec 14 14:54 cert9.db
-rw------- 1 herong herong  16384 Sep 18  2019 key3.db
-rw------- 1 herong herong 294912 Sep 18  2019 key4.db
-rw------- 1 herong herong  16384 Sep 18  2019 secmod.db

# on CentOS 
herong$ ls -l ~/.pki/nssdb/*.db 
total 68
-rw-------. 1 herong herong 28672 Aug 20  2024 cert9.db
-rw-------. 1 herong herong 36864 Aug 20  2024 key4.db

# on macOS
herong$ cd ~/Library/Application\ Support/Firefox/
herong$ ls -l Profiles/06q6jqvz.default/*.db 
-rw-------  1 herong  staff  65536 Mar 23 13:51 cert8.db
-rw-------  1 herong  staff  16384 Mar 23 13:51 key3.db
-rw-------  1 herong  staff  16384 Nov  2  2022 secmod.db

What is "certutil" command? - "certutil" command is provided by the NSS library for you to manage NSS certificate databases. You can install NSS library using different package names on different Linux systems. For example:

# on Ubuntu 
herong$ sudo apt install libnss3-tools

# on CentOS 
sudo dnf install nss-tools

"certutil" command examples -

1. List certificates in the SQLite version:

herong$ certutil -L \
  -d sql:/home/herong/.mozilla/firefox/l3fqh1es.default

Certificate Nickname             Trust Attributes
                                 SSL,S/MIME,JAR/XPI

GTS CA 1O1                       ,,   
Amazon                           ,,   
DigiCert SHA2 Secure Server CA   ,,   
DigiCert ECC Secure Server CA    ,,   
Microsoft IT TLS CA 2            ,,   
Let's Encrypt Authority X3       ,,   
CloudFlare Inc ECC CA-2          ,,   
R11                              ,,   
WR2                              ,,   
... 

2. Print a given certificate in PEM format:

herong$ certutil -L -a -n Amazon \
  -d sql:/home/herong/.mozilla/firefox/l3fqh1es.default

-----BEGIN CERTIFICATE-----
MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MTAyMjAwMDAwMFoXDTI1MTAxOTAwMDAwMFowRjEL
...

3. Create a new NSS database:

herong$ mkdir mynss
herong$ certutil -N -d sql:mynss
Enter new password: TopSecret
Re-enter password: TopSecret

herong$ ls -l mynss/
-rw------- 1 herong herong 28672 May  5 09:24 cert9.db
-rw------- 1 herong herong 36864 May  5 09:24 key4.db
-rw------- 1 herong herong   416 May  5 09:24 pkcs11.txt

3. Create a self-signed certificate in my NSS database:

herong$ certutil -S -n MyRoot -d sql:mynss -t ",," -s "CN=MyRoot" -x 
  A random seed must be generated that will be used in the
  creation of your key.  One of the easiest ways to create a
  random seed is to use the timing of keystrokes on a keyboard.

  To begin, type keys on the keyboard until this progress meter
  is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!

  Continue typing until the progress meter is full:
  |************************************************************|

  Finished.  Press enter to continue: 
  Generating key.  This may take a few moments...

4. List keys and certificates in my NSS database:

herong@ubuntu:~/out$ certutil -K -d sql:mynss 
  < 0> rsa 455dc7ca8605602b8f85077f...  NSS Certificate DB:MyRoot

herong@ubuntu:~/out$ certutil -L -d sql:mynss 
  Certificate Nickname             Trust Attributes
                                   SSL,S/MIME,JAR/XPI
  MyRoot                           u,u,u

Note that you can another command "pk12util" provided by the NSS library to transfer certificates and keys between PK12 files and NSS databases.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 Using HTTPS with Microsoft Edge

 Using HTTPS with Apple Safari

 Using HTTPS with IE (Internet Explorer)

 Android and Server Certificate

 iPhone and Server Certificate

 Windows Certificate Stores and Console

 RDP (Remote Desktop Protocol) and Server Certificate

 macOS Certificate Stores and Keychain Access

►Linux Certificate Stores and Tools

 Root CA Certificate Location on Linux

 update-ca-certificates Command on Ubuntu

 update-ca-trust Command on CentOS

►"certutil" for NSS Certificate Databases on Linux

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Python Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Archived Tutorials

 References

 Full Version in PDF/EPUB

"certutil" for NSS Certificate Databases on Linux - Updated in 2026, by Herong Yang