[NO_Replies_Ever] - How to use certutil

[warron.french]

I read the manpage for certutil, and tried to execute commands based on my understanding.

Code: Select all

[root@wfrench-logsvr ~]# certutil -d /etc/pki/nssdb/  -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

[root@wfrench-logsvr ~]# certutil -d /etc/pki/nssdb/cert8.db  -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
[root@wfrench-logsvr ~]# certutil -d /etc/pki/nssdb/cert9.db  -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

Am I not supposed to list the cert8.db or cert9.db file? Just the path to the files?

If so, how do you know if Google Chrome (cert9.db) is going to trust a certificate versus Firefox (cert8.db)?

This is a follow-on to my efforts to try and figure out how to holistically approach with as few unique solutions as possible; managing:
1. Citrix Receiver,
2. Google Chrome,
3. Firefox,
4. JAVA certificate truststore
5. System certificate store

[harrywangca]

Hello Warron,

How do you install certutil? what package do you install? I am using CentOS 8 now and I want to sign my custom kernel, it needs certutil and pesign, but I am not sure how to install them.

[warron.french]

@harrywangca,

Execute this command to find out what package provides "certutil" specifically:

Code: Select all

yum    provides    */certutil

Then you know what packagename to install with:

Code: Select all

yum install  packagename

So, when I checked my RHEL7 machine, it came back indicating that command is provided by the package: nss-tools