1

I am working on CentOS, and I have NSS 3.19.1

I am trying to add a client certificate with rsa private key to the NSS database.

Im working inside of /etc/pki/nssdb and it has the contents:

cert8.db
cert9.db
key3.db
key4.db
pkcs11.txt
secmod.db

I know the cert8, key3, and secmod are the old formats for the db.

But whatever command i run i either get:

SEC_ERROR_BAD_DATABASE

or

SEC_ERROR_LEGACY_DATABASE

I thought i had the updated database with the cert9, key4, and pkcs11 files.

Can anyone help with this issue?

Cody Pritchard
  • 635
  • 1
  • 9
  • 28

1 Answers1

1
  1. If a secmod.db has no modules contained, the SEC_ERROR_LEGACY_DATABASE also occurs. It's very tricky because the error message has nothing to do with the real cause. I see it as a bug.

So, add a module to the secmod.db first.

modutil -add "some name" -libfile some_so_file_to_load -dbdir "/the/dir/where/the/secmod/is/located/" -secmod secmod.db

-dbdir accepts one directory as a proper value. Don't go deeper to the file itself.

  1. If this also fails, check your permission on the file secmod.db. In my case, it fails because I don't have a write permission. Running as root a chown may fix it.

So, try this:

sudo -s
chown your_user_name /the/secmod/dir/secmod.db

  1. Then, try to add the module and run a modutil -list to check if it's added.

  2. At last, add your certificate to it. It will work. The extension of the db file has nothing to do.

WesternGun
  • 11,303
  • 6
  • 88
  • 157