certutil: function failed: security library: bad database

centos ssl ssl-certificate public-key private-key

60,041

Solution 1

If it is new system, your certificate database might not be initialized. To fix this, perform:

mkdir -p $HOME/.pki/nssdb
certutil -d $HOME/.pki/nssdb -N

Solution 2

In case database already has been initialised, but still is corrupted then it has to be rebuild:

$ mv ~/.pki/nssdb ~/.pki/nssdb.corrupted
$ mkdir ~/.pki/nssdb
$ chmod 700 ~/.pki/nssdb
$ certutil -d sql:$HOME/.pki/nssdb -N

Check if working alright

$ certutil -d sql:$HOME/.pki/nssdb -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Import certificate

$ certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n GoAgent -i ~/programs/goagent/local/CA.crt

Solution 3

If you want to display certifications from a specific folder (for example, the folder which stores the cert8.db file for Firefox), you need to specify the folder with "-d":

nss-certutil -d /Users/myuser/Library/Application\ Support/Firefox/Profiles/jii912uh.default -L

Otherwise, nss-certutil may try to read *.db files from ~/.netscape folder, or maybe $HOME/.pki/nssdb as previous user mentioned.

Solution 4

Also check the -d directory path (must point to the directory) have any space or not. With space it gives the same error or bad file format error - old database format etc. Specially in Mac the folder is in "Application Support" which contains space. So have the path fully quoted:

"/Users/myuser/Library/Application Support/Firefox/Profiles/jii912uh.default"

or add the \ escape character.

 /Users/myuser/Library/Application\ Support/Firefox/Profiles/jii912uh.default

And check that the folder have the following files, cert8.db, key3.db and secmob.db.

View more solutions

60,041

Zim3r

A bad member of community.

Updated on September 18, 2022

Comments

Zim3r over 1 year

when I'm using certutil it returns this error: certutil: function failed: security library: bad database.

e.g. I can't list certs or keys

How Can I fix this?
pid about 10 years

Since last update of libGNUTLS on Debian my browsers (chrome and iceweasel) failed to open. On console I got [5284:5310:0306/110217:ERROR:nss_util.cc(750)] After loading Root Certs, loaded==false: NSS error code: -8018 and no way to solve this gracefully. Rebuilding the DB solved it for me! Thank you very much :)
Gillfish almost 9 years

I was able to rebuild the DB and list the certificates after that, but my import is still failing with the error: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. My import command is certutil -d sql:$HOME/.pki/nssb -A -t "CT,C,C" -n sophos -i ~/Downloads/sophos_cert.crt This shouldn't have to be run as root, should it?
Ben Johnson almost 6 years

If you don't want a password on the certificate database, add the --empty-password switch to the end of the certutil command.
CMCDragonkai over 4 years

I found that if I ran instead: certutil -d sql:$HOME/.pki/nssdb -L it would not result in that error. But if I just run certutil -L it would show that error. Does that mean the database is not corrupted, but there's some incompatibilty or does certutil expect the wrong directory?