[GH-ISSUE #12] failed to execute "certutil -A" #9

New issue

Closed

opened 2026-02-25 22:32:21 +03:00 by kerem · 15 comments

kerem commented 2026-02-25 22:32:21 +03:00

Owner

Copy link

Originally created by @Yahatix on GitHub (Jun 28, 2018).
Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/12

This error appears when i do "mkcert -install"

ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Originally created by @Yahatix on GitHub (Jun 28, 2018). Original GitHub issue: https://github.com/FiloSottile/mkcert/issues/12 This error appears when i do "mkcert -install" >ERROR: failed to execute "certutil -A": exit status 255 > >certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

kerem 2026-02-25 22:32:21 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@adamdecaf commented on GitHub (Jun 28, 2018):

What version of Firefox are you on? IIRC it was Firefox 57/58 that switched to the cert9.db format.

Edit: I see mkcert is trying to operate on any cert*.db file found, which I haven't been able to get NSS 3.35+ to support.

<!-- gh-comment-id:401056969 --> @adamdecaf commented on GitHub (Jun 28, 2018): What version of Firefox are you on? IIRC it was Firefox 57/58 that switched to the cert9.db format. Edit: I see mkcert is trying to operate on any cert*.db file found, which I haven't been able to get [NSS 3.35+ to support](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes).

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@adamdecaf commented on GitHub (Jun 28, 2018):

@Yahatix Could you try out https://github.com/FiloSottile/mkcert/pull/13 and see if you still get an error?

Have you tried with this change github.com/FiloSottile/mkcert@1bc392c3cc ?

<!-- gh-comment-id:401059574 --> @adamdecaf commented on GitHub (Jun 28, 2018): @Yahatix ~~Could you try out https://github.com/FiloSottile/mkcert/pull/13 and see if you still get an error?~~ Have you tried with this change https://github.com/FiloSottile/mkcert/commit/1bc392c3cc19f69a692bdb2646ee01f342083d3a ?

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@Yahatix commented on GitHub (Jun 28, 2018):

@adamdecaf I just tried with the newest commit and it doesnt work. I am using the latest Firefox beta so 62.0b3

<!-- gh-comment-id:401091906 --> @Yahatix commented on GitHub (Jun 28, 2018): @adamdecaf I just tried with the newest commit and it doesnt work. I am using the latest Firefox beta so 62.0b3

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@adamdecaf commented on GitHub (Jun 28, 2018):

@Yahatix Does the user running mkcert have permissions for that file?

Oddly and confusingly, this error is also what you get if you're trying to query a certificate database in a location you don't have access to and you didn't use sudo.

https://stackoverflow.com/a/39356437

<!-- gh-comment-id:401135263 --> @adamdecaf commented on GitHub (Jun 28, 2018): @Yahatix Does the user running `mkcert` have permissions for that file? > Oddly and confusingly, this error is also what you get if you're trying to query a certificate database in a location you don't have access to and you didn't use sudo. https://stackoverflow.com/a/39356437

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@Yahatix commented on GitHub (Jun 29, 2018):

if you mean the cert9.db file then yes and the user has access to all the other files in this folder also

<!-- gh-comment-id:401311309 --> @Yahatix commented on GitHub (Jun 29, 2018): if you mean the cert9.db file then yes and the user has access to all the other files in this folder also

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@FiloSottile commented on GitHub (Jul 4, 2018):

I added some debug output, if you could rerun the latest build and report its output it would be helpful. @Cui-y @Yahatix

<!-- gh-comment-id:402331054 --> @FiloSottile commented on GitHub (Jul 4, 2018): I added some debug output, if you could rerun the latest build and report its output it would be helpful. @Cui-y @Yahatix

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@Yahatix commented on GitHub (Jul 4, 2018):

OK so the debug output says:

Using the local CA at "/Users/myUsername/Library/Application Support/mkcert" ✨
!!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12
Profile path: dbm:/Users/myUsername/Library/Application Support/Firefox/Profiles/.DS_Store
OS: darwin/amd64
certutil: /usr/local/opt/nss/bin/certutil
-rw-r--r--@ 1 myUsername  staff  6148  4 Jul 05:14 /Users/myUsername/Library/Application Support/Firefox/Profiles/.DS_Store
ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

I think this happened when i opened the Folder in the Finder.
Upon deleting the .DS_Store file it now is working as it should.

<!-- gh-comment-id:402351405 --> @Yahatix commented on GitHub (Jul 4, 2018): OK so the debug output says: ``` Using the local CA at "/Users/myUsername/Library/Application Support/mkcert" ✨ !!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12 Profile path: dbm:/Users/myUsername/Library/Application Support/Firefox/Profiles/.DS_Store OS: darwin/amd64 certutil: /usr/local/opt/nss/bin/certutil -rw-r--r--@ 1 myUsername staff 6148 4 Jul 05:14 /Users/myUsername/Library/Application Support/Firefox/Profiles/.DS_Store ERROR: failed to execute "certutil -A": exit status 255 certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. ``` I think this happened when i opened the Folder in the Finder. Upon deleting the .DS_Store file it now is working as it should.

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@ansemjo commented on GitHub (Jul 4, 2018):

I have also hit this issue just now:

$ uname -srvmo
Linux 4.17.3-1-ARCH #1 SMP PREEMPT Tue Jun 26 04:42:36 UTC 2018 x86_64 GNU/Linux
$ firefox --version
Mozilla Firefox 61.0
$ mkcert -install
Created a new local CA at "/home/ansemjo/.local/share/mkcert" 💥
Installing to the system store is not yet supported on this Linux 😣 but Firefox and/or Chrome/Chromium will still work.
You can also manually install the root certificate at "/home/ansemjo/.local/share/mkcert/rootCA.pem".
!!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12
Profile path: dbm:/home/ansemjo/.mozilla/firefox/profiles.ini
OS: linux/amd64
certutil: /usr/bin/certutil
-rw-r--r-- 1 ansemjo users 172 Jun 28 16:51 /home/ansemjo/.mozilla/firefox/profiles.ini
ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

$ ls -l .mozilla/firefox/profiles.ini 
-rw-r--r-- 1 ansemjo users 172 Jun 28 16:51 .mozilla/firefox/profiles.ini

However, when adding the certificate manually through Firefox' certitifcate manager it says the certificate authority is already installed .. during certificate installation mkcert still warns that it is not installed in the trust store. (I have verified that it is.)

$ mkcert example.org
Using the local CA at "/home/ansemjo/.local/share/mkcert" ✨
Warning: the local CA is not installed in the system trust store! ⚠️
Warning: the local CA is not installed in the Firefox and/or Chrome/Chromium trust store! ⚠️
Run "mkcert -install" to avoid verification errors ‼️

Created a new certificate valid for the following names 📜
 - "example.org"

The certificate is at "./example.org.pem" and the key at "./example.org-key.pem" ✅

<!-- gh-comment-id:402368788 --> @ansemjo commented on GitHub (Jul 4, 2018): I have also hit this issue just now: ``` $ uname -srvmo Linux 4.17.3-1-ARCH #1 SMP PREEMPT Tue Jun 26 04:42:36 UTC 2018 x86_64 GNU/Linux $ firefox --version Mozilla Firefox 61.0 $ mkcert -install Created a new local CA at "/home/ansemjo/.local/share/mkcert" 💥 Installing to the system store is not yet supported on this Linux 😣 but Firefox and/or Chrome/Chromium will still work. You can also manually install the root certificate at "/home/ansemjo/.local/share/mkcert/rootCA.pem". !!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12 Profile path: dbm:/home/ansemjo/.mozilla/firefox/profiles.ini OS: linux/amd64 certutil: /usr/bin/certutil -rw-r--r-- 1 ansemjo users 172 Jun 28 16:51 /home/ansemjo/.mozilla/firefox/profiles.ini ERROR: failed to execute "certutil -A": exit status 255 certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. $ ls -l .mozilla/firefox/profiles.ini -rw-r--r-- 1 ansemjo users 172 Jun 28 16:51 .mozilla/firefox/profiles.ini ``` However, when adding the certificate manually through Firefox' certitifcate manager it says the certificate authority is already installed .. during certificate installation `mkcert` still warns that it is not installed in the trust store. (I have verified that it is.) ``` $ mkcert example.org Using the local CA at "/home/ansemjo/.local/share/mkcert" ✨ Warning: the local CA is not installed in the system trust store! ⚠️ Warning: the local CA is not installed in the Firefox and/or Chrome/Chromium trust store! ⚠️ Run "mkcert -install" to avoid verification errors ‼️ Created a new certificate valid for the following names 📜 - "example.org" The certificate is at "./example.org.pem" and the key at "./example.org-key.pem" ✅ ```

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@icing commented on GitHub (Jul 4, 2018):

Same here:

ERROR: failed to execute "certutil -A": exit status 255

When run manually:

> /usr/local/opt/nss/bin/certutil -A
certutil -A: nickname is required for this command (-n).
> echo $?
255

<!-- gh-comment-id:402434109 --> @icing commented on GitHub (Jul 4, 2018): Same here: ``` ERROR: failed to execute "certutil -A": exit status 255 ``` When run manually: ``` > /usr/local/opt/nss/bin/certutil -A certutil -A: nickname is required for this command (-n). > echo $? 255 ```

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@needpower commented on GitHub (Jul 4, 2018):

Have similar issue:

> CAROOT=certs/ mkcert -install

Using the local CA at "certs/" ✨

But there is also an error:

ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Log output:

Profile path: dbm:/home/artem/.mozilla/firefox/profiles.ini
OS: linux/amd64
certutil: /usr/bin/certutil
-rw-rw-r-- 1 artem artem 104 May 10 16:39 /home/artem/.mozilla/firefox/profiles.ini

Can anyone advice a workaround? Is this a permissions problem?

<!-- gh-comment-id:402491946 --> @needpower commented on GitHub (Jul 4, 2018): Have similar issue: ``` > CAROOT=certs/ mkcert -install Using the local CA at "certs/" ✨ ``` But there is also an error: ``` ERROR: failed to execute "certutil -A": exit status 255 certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. ``` Log output: ``` Profile path: dbm:/home/artem/.mozilla/firefox/profiles.ini OS: linux/amd64 certutil: /usr/bin/certutil -rw-rw-r-- 1 artem artem 104 May 10 16:39 /home/artem/.mozilla/firefox/profiles.ini ``` Can anyone advice a workaround? Is this a permissions problem?

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@ansemjo commented on GitHub (Jul 4, 2018):

I hacked together some debugging programm with a couple of fmt.Println()'s and the problem appears to be that !os.IsNotExist(err) also returns true for not a directory errors:

github.com/FiloSottile/mkcert@54cdb2c715/truststore_nss.go (L104)

FirefoxProfile: /home/ansemjo/.mozilla/firefox/* 

Profile 0 /home/ansemjo/.mozilla/firefox/Crash Reports
sql:/home/ansemjo/.mozilla/firefox/Crash Reports/cert9.db
stat error: stat /home/ansemjo/.mozilla/firefox/Crash Reports/cert9.db: no such file or directory
!os.IsNotExist(): false

Profile 1 /home/ansemjo/.mozilla/firefox/Pending Pings
sql:/home/ansemjo/.mozilla/firefox/Pending Pings/cert9.db
stat error: stat /home/ansemjo/.mozilla/firefox/Pending Pings/cert9.db: no such file or directory
!os.IsNotExist(): false

Profile 2 /home/ansemjo/.mozilla/firefox/ixrdqj9e.ansemjo-1528391975165
sql:/home/ansemjo/.mozilla/firefox/ixrdqj9e.ansemjo-1528391975165/cert9.db
stat error: <nil>
!os.IsNotExist(): true

Profile 3 /home/ansemjo/.mozilla/firefox/profiles.ini
sql:/home/ansemjo/.mozilla/firefox/profiles.ini/cert9.db
stat error: stat /home/ansemjo/.mozilla/firefox/profiles.ini/cert9.db: not a directory
!os.IsNotExist(): true

I'd suggest either checking that profile is a directory before joining the path or checking err == nil?

debugging script

package main
import (

"fmt"

"os"

"path/filepath"

)
func main() {
FirefoxProfile := os.Getenv("HOME") + "/.mozilla/firefox/*"

fmt.Println("FirefoxProfile:", FirefoxProfile, "\n")

profiles, _ := filepath.Glob(FirefoxProfile)

for i, profile := range profiles {

	fmt.Println("Profile", i, profile)

	db := filepath.Join(profile, "cert9.db")
	fmt.Println("sql:" + db)

	_, err := os.Stat(db)
	fmt.Println("stat error:", err)
	fmt.Println("!os.IsNotExist():", !os.IsNotExist(err))

	fmt.Println()
}

}

---

Edit: this patch appears to fix it for me:

diff --git a/truststore_nss.go b/truststore_nss.go
index 38e9ddc..fe7d00e 100644
--- a/truststore_nss.go
+++ b/truststore_nss.go
@@ -97,6 +97,9 @@ func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) {
 		return
 	}
 	for _, profile := range profiles {
+		if stat, err := os.Stat(profile); err == nil && stat != nil && !stat.IsDir() {
+			continue
+		}
 		if _, err := os.Stat(filepath.Join(profile, "cert8.db")); !os.IsNotExist(err) {
 			f("dbm:" + profile)
 			found++

<!-- gh-comment-id:402506080 --> @ansemjo commented on GitHub (Jul 4, 2018): I hacked together some debugging programm with a couple of `fmt.Println()`'s and the problem appears to be that `!os.IsNotExist(err)` also returns `true` for `not a directory` errors: https://github.com/FiloSottile/mkcert/blob/54cdb2c7154b97e6e477578a5f08a695822f4fcb/truststore_nss.go#L104 ``` FirefoxProfile: /home/ansemjo/.mozilla/firefox/* Profile 0 /home/ansemjo/.mozilla/firefox/Crash Reports sql:/home/ansemjo/.mozilla/firefox/Crash Reports/cert9.db stat error: stat /home/ansemjo/.mozilla/firefox/Crash Reports/cert9.db: no such file or directory !os.IsNotExist(): false Profile 1 /home/ansemjo/.mozilla/firefox/Pending Pings sql:/home/ansemjo/.mozilla/firefox/Pending Pings/cert9.db stat error: stat /home/ansemjo/.mozilla/firefox/Pending Pings/cert9.db: no such file or directory !os.IsNotExist(): false Profile 2 /home/ansemjo/.mozilla/firefox/ixrdqj9e.ansemjo-1528391975165 sql:/home/ansemjo/.mozilla/firefox/ixrdqj9e.ansemjo-1528391975165/cert9.db stat error: <nil> !os.IsNotExist(): true Profile 3 /home/ansemjo/.mozilla/firefox/profiles.ini sql:/home/ansemjo/.mozilla/firefox/profiles.ini/cert9.db stat error: stat /home/ansemjo/.mozilla/firefox/profiles.ini/cert9.db: not a directory !os.IsNotExist(): true ``` I'd suggest either checking that `profile` is a directory before joining the path or checking `err == nil`? <details> <summary>debugging script</summary> <pre> package main import ( "fmt" "os" "path/filepath" ) func main() { FirefoxProfile := os.Getenv("HOME") + "/.mozilla/firefox/*" fmt.Println("FirefoxProfile:", FirefoxProfile, "\n") profiles, _ := filepath.Glob(FirefoxProfile) for i, profile := range profiles { fmt.Println("Profile", i, profile) db := filepath.Join(profile, "cert9.db") fmt.Println("sql:" + db) _, err := os.Stat(db) fmt.Println("stat error:", err) fmt.Println("!os.IsNotExist():", !os.IsNotExist(err)) fmt.Println() } } </pre> </details> --- Edit: this patch appears to fix it for me: ```patch diff --git a/truststore_nss.go b/truststore_nss.go index 38e9ddc..fe7d00e 100644 --- a/truststore_nss.go +++ b/truststore_nss.go @@ -97,6 +97,9 @@ func (m *mkcert) forEachNSSProfile(f func(profile string)) (found int) { return } for _, profile := range profiles { + if stat, err := os.Stat(profile); err == nil && stat != nil && !stat.IsDir() { + continue + } if _, err := os.Stat(filepath.Join(profile, "cert8.db")); !os.IsNotExist(err) { f("dbm:" + profile) found++ ```

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@johanvanhelden commented on GitHub (Jul 4, 2018):

As requested, I hereby present the output:

[Apps] $(go env GOPATH)/bin/mkcert -install                                                                                                                                                                                17:17:27 
Using the local CA at "/home/redacted/.local/share/mkcert" ✨
The local CA is now installed in the system trust store! ⚡️
!!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12
Profile path: dbm:/home/redacted/.mozilla/firefox/profiles.ini
OS: linux/amd64
certutil: /usr/bin/certutil
-rw-r--r-- 1 redacted redacted 188 apr 21  2017 /home/redacted/.mozilla/firefox/profiles.ini
ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

<!-- gh-comment-id:402508078 --> @johanvanhelden commented on GitHub (Jul 4, 2018): As requested, I hereby present the output: ``` [Apps] $(go env GOPATH)/bin/mkcert -install 17:17:27 Using the local CA at "/home/redacted/.local/share/mkcert" ✨ The local CA is now installed in the system trust store! ⚡️ !!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12 Profile path: dbm:/home/redacted/.mozilla/firefox/profiles.ini OS: linux/amd64 certutil: /usr/bin/certutil -rw-r--r-- 1 redacted redacted 188 apr 21 2017 /home/redacted/.mozilla/firefox/profiles.ini ERROR: failed to execute "certutil -A": exit status 255 certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. ```

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@FiloSottile commented on GitHub (Jul 4, 2018):

Thanks @ansemjo for the fix!

<!-- gh-comment-id:402527463 --> @FiloSottile commented on GitHub (Jul 4, 2018): Thanks @ansemjo for the fix!

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@Ronserruya commented on GitHub (Jul 12, 2018):

Got this error now, looks like this fix was merged 8 days ago, I am using the binaries from 6 days ago.

./mkcert-v1.0.0-linux-amd64 -install
Using the local CA at "/home/ron/.local/share/mkcert" ✨
The local CA is now installed in the system trust store! ⚡️
!!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12
Profile path: sql:/home/ron/.mozilla/firefox/niollsln.default
OS: linux/amd64
certutil: /usr/bin/certutil
total 9680
-rw------- 1 ron  ron     2261 יונ  5 13:08 addons.json
-rw------- 1 ron  ron     1670 יונ  5 13:02 addonStartup.json.lz4
-rw-rw-r-- 1 ron  ron        0 יונ  5 13:43 AlternateServices.txt
-rw------- 1 ron  ron   461412 יונ 21  2017 blocklist-addons.json
-rw------- 1 ron  ron    27953 יונ 21  2017 blocklist-gfx.json
-rw------- 1 ron  ron   203214 יונ 21  2017 blocklist-plugins.json
drwx------ 2 ron  ron     4096 יונ  4 17:46 blocklists
-rw------- 1 ron  ron   130590 יונ  5 13:10 blocklist.xml
drwx------ 2 ron  ron     4096 יונ  5 10:37 bookmarkbackups
drwx------ 3 ron  ron     4096 דצמ 17  2017 browser-extension-data
-rw------- 1 ron  ron   114688 יול 12 18:31 cert8.db
-rw------- 1 root root  294912 מאי  3 14:14 cert9.db
-rw------- 1 ron  ron      181 יונ  5 13:02 compatibility.ini
-rw------- 1 ron  ron      809 יונ  4 17:36 containers.json
-rw-r--r-- 1 ron  ron   229376 יונ  5 10:29 content-prefs.sqlite
-rw-r--r-- 1 ron  ron   524288 יונ  5 13:43 cookies.sqlite
drwx------ 3 ron  ron     4096 יונ  5 13:03 crashes
drwx------ 3 ron  ron     4096 יונ  5 13:43 datareporting
drwx------ 2 ron  ron     4096 יונ 21  2017 extensions
-rw------- 1 ron  ron    16791 יונ  5 13:12 extensions.json
-rw-r--r-- 1 ron  ron   393216 יונ  5 10:52 favicons.sqlite
drwx------ 4 ron  ron     4096 אוג  6  2017 features
-rw-r--r-- 1 ron  ron   196608 יונ  5 10:33 formhistory.sqlite
drwx------ 2 ron  ron     4096 יונ  5 13:02 gmp
drwxr-xr-x 4 ron  ron     4096 יונ  4 17:39 gmp-gmpopenh264
-rw------- 1 ron  ron      683 יונ  5 13:02 handlers.json
-rw------- 1 ron  ron        0 יונ  5 13:02 Invalidprefs.js
-rw------- 1 ron  ron    16384 יול 12 18:31 key3.db
-rw------- 1 root root  294912 מאי  3 14:14 key4.db
-rw-r--r-- 1 ron  ron  1376256 יונ  4 17:46 kinto.sqlite
-rw-rw-r-- 1 ron  ron     3781 יונ 21  2017 mimeTypes.rdf
drwx------ 2 ron  ron     4096 יונ 21  2017 minidumps
-rw-r--r-- 1 ron  ron    98304 יונ 21  2017 permissions.sqlite
-rw------- 1 root root     878 מאי  3 14:14 pkcs11.txt
-rw-r--r-- 1 ron  ron  5242880 יונ  5 13:43 places.sqlite
-rw------- 1 ron  ron      428 יונ  4 17:36 pluginreg.dat
-rw------- 1 root root    9173 מאי  8 15:24 prefs.js
-rw-rw-r-- 1 ron  ron    39826 יונ  4 17:46 revocations.txt
drwx------ 2 ron  ron     4096 יונ  5 13:43 saved-telemetry-pings
-rw------- 1 ron  ron    10935 יונ  5 13:02 search.json.mozlz4
-rw------- 1 ron  ron    16384 יונ 21  2017 secmod.db
-rw-rw-r-- 1 ron  ron        0 יונ  5 13:43 SecurityPreloadState.txt
-rw-rw-r-- 1 ron  ron      116 אוג  6  2017 serviceworker.txt
-rw------- 1 ron  ron      288 יונ  5 13:43 sessionCheckpoints.json
drwx------ 2 ron  ron     4096 יונ  5 13:43 sessionstore-backups
-rw------- 1 ron  ron     1898 אוג 23  2017 sessionstore.js
-rw------- 1 ron  ron     3800 יונ  5 13:43 sessionstore.jsonlz4
-rw-rw-r-- 1 ron  ron     4662 יונ  5 13:43 SiteSecurityServiceState.txt
drwxr-xr-x 5 ron  ron     4096 אוג  6  2017 storage
-rw-r--r-- 1 ron  ron      512 דצמ 17  2017 storage.sqlite
-rwx------ 1 ron  ron       29 יונ 21  2017 times.json
-rw-rw-r-- 1 ron  ron        0 יונ  5 13:43 TRRBlacklist.txt
-rw-r--r-- 1 ron  ron    98304 יונ  4 17:37 webappsstore.sqlite
-rw------- 1 ron  ron      170 יונ  5 13:43 xulstore.json
ERROR: failed to execute "certutil -A": exit status 255

certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

<!-- gh-comment-id:404554183 --> @Ronserruya commented on GitHub (Jul 12, 2018): Got this error now, looks like this fix was merged 8 days ago, I am using the binaries from 6 days ago. ``` ./mkcert-v1.0.0-linux-amd64 -install Using the local CA at "/home/ron/.local/share/mkcert" ✨ The local CA is now installed in the system trust store! ⚡️ !!! You've hit a known issue. Please report the entire command output at https://github.com/FiloSottile/mkcert/issues/12 Profile path: sql:/home/ron/.mozilla/firefox/niollsln.default OS: linux/amd64 certutil: /usr/bin/certutil total 9680 -rw------- 1 ron ron 2261 יונ 5 13:08 addons.json -rw------- 1 ron ron 1670 יונ 5 13:02 addonStartup.json.lz4 -rw-rw-r-- 1 ron ron 0 יונ 5 13:43 AlternateServices.txt -rw------- 1 ron ron 461412 יונ 21 2017 blocklist-addons.json -rw------- 1 ron ron 27953 יונ 21 2017 blocklist-gfx.json -rw------- 1 ron ron 203214 יונ 21 2017 blocklist-plugins.json drwx------ 2 ron ron 4096 יונ 4 17:46 blocklists -rw------- 1 ron ron 130590 יונ 5 13:10 blocklist.xml drwx------ 2 ron ron 4096 יונ 5 10:37 bookmarkbackups drwx------ 3 ron ron 4096 דצמ 17 2017 browser-extension-data -rw------- 1 ron ron 114688 יול 12 18:31 cert8.db -rw------- 1 root root 294912 מאי 3 14:14 cert9.db -rw------- 1 ron ron 181 יונ 5 13:02 compatibility.ini -rw------- 1 ron ron 809 יונ 4 17:36 containers.json -rw-r--r-- 1 ron ron 229376 יונ 5 10:29 content-prefs.sqlite -rw-r--r-- 1 ron ron 524288 יונ 5 13:43 cookies.sqlite drwx------ 3 ron ron 4096 יונ 5 13:03 crashes drwx------ 3 ron ron 4096 יונ 5 13:43 datareporting drwx------ 2 ron ron 4096 יונ 21 2017 extensions -rw------- 1 ron ron 16791 יונ 5 13:12 extensions.json -rw-r--r-- 1 ron ron 393216 יונ 5 10:52 favicons.sqlite drwx------ 4 ron ron 4096 אוג 6 2017 features -rw-r--r-- 1 ron ron 196608 יונ 5 10:33 formhistory.sqlite drwx------ 2 ron ron 4096 יונ 5 13:02 gmp drwxr-xr-x 4 ron ron 4096 יונ 4 17:39 gmp-gmpopenh264 -rw------- 1 ron ron 683 יונ 5 13:02 handlers.json -rw------- 1 ron ron 0 יונ 5 13:02 Invalidprefs.js -rw------- 1 ron ron 16384 יול 12 18:31 key3.db -rw------- 1 root root 294912 מאי 3 14:14 key4.db -rw-r--r-- 1 ron ron 1376256 יונ 4 17:46 kinto.sqlite -rw-rw-r-- 1 ron ron 3781 יונ 21 2017 mimeTypes.rdf drwx------ 2 ron ron 4096 יונ 21 2017 minidumps -rw-r--r-- 1 ron ron 98304 יונ 21 2017 permissions.sqlite -rw------- 1 root root 878 מאי 3 14:14 pkcs11.txt -rw-r--r-- 1 ron ron 5242880 יונ 5 13:43 places.sqlite -rw------- 1 ron ron 428 יונ 4 17:36 pluginreg.dat -rw------- 1 root root 9173 מאי 8 15:24 prefs.js -rw-rw-r-- 1 ron ron 39826 יונ 4 17:46 revocations.txt drwx------ 2 ron ron 4096 יונ 5 13:43 saved-telemetry-pings -rw------- 1 ron ron 10935 יונ 5 13:02 search.json.mozlz4 -rw------- 1 ron ron 16384 יונ 21 2017 secmod.db -rw-rw-r-- 1 ron ron 0 יונ 5 13:43 SecurityPreloadState.txt -rw-rw-r-- 1 ron ron 116 אוג 6 2017 serviceworker.txt -rw------- 1 ron ron 288 יונ 5 13:43 sessionCheckpoints.json drwx------ 2 ron ron 4096 יונ 5 13:43 sessionstore-backups -rw------- 1 ron ron 1898 אוג 23 2017 sessionstore.js -rw------- 1 ron ron 3800 יונ 5 13:43 sessionstore.jsonlz4 -rw-rw-r-- 1 ron ron 4662 יונ 5 13:43 SiteSecurityServiceState.txt drwxr-xr-x 5 ron ron 4096 אוג 6 2017 storage -rw-r--r-- 1 ron ron 512 דצמ 17 2017 storage.sqlite -rwx------ 1 ron ron 29 יונ 21 2017 times.json -rw-rw-r-- 1 ron ron 0 יונ 5 13:43 TRRBlacklist.txt -rw-r--r-- 1 ron ron 98304 יונ 4 17:37 webappsstore.sqlite -rw------- 1 ron ron 170 יונ 5 13:43 xulstore.json ERROR: failed to execute "certutil -A": exit status 255 certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. ```

kerem commented 2026-02-25 22:32:22 +03:00

Author

Owner

Copy link

@adamdecaf commented on GitHub (Jul 12, 2018):

@FiloSottile Is there a reason cert9.db isn't prioritized? Firefox upgrades users to cert9.db and then stops using cert8.db/key3.db.

On my mac I've got a cert8.db/key3.db file left around too.

https://github.com/FiloSottile/mkcert/pull/13 fixed this issue for me locally before https://github.com/FiloSottile/mkcert/pull/33 was merged.

<!-- gh-comment-id:404562162 --> @adamdecaf commented on GitHub (Jul 12, 2018): @FiloSottile Is there a reason cert9.db isn't prioritized? Firefox upgrades users to cert9.db and then stops using cert8.db/key3.db. On my mac I've got a cert8.db/key3.db file left around too. https://github.com/FiloSottile/mkcert/pull/13 fixed this issue for me locally before https://github.com/FiloSottile/mkcert/pull/33 was merged.

kerem referenced this issue 2026-02-25 22:33:07 +03:00

[GH-ISSUE #558] Certutil process is continuously running and not returning when creating new NSS DB #328

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.2.0

v1.1.2

v1.1.1

v1.1.0

v1.0.1

v1.0.0

v0.9.1

v0.9.0

Labels

Clear labels   

TLS stack issue

  

Windows

  

bug

  

duplicate

  

duplicate

  

enhancement

  

help wanted

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question

  

root store

  

waiting for info

No labels

TLS stack issue

Windows

bug

duplicate

duplicate

enhancement

help wanted

help wanted

pull-request

question

question

root store

waiting for info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mkcert#9

No description provided.