Fixing “certutil: function failed: security library: bad database” Error in NSS Operations


1 views

When working with Mozilla's Network Security Services (NSS) tools, particularly certutil, you might encounter:

$ certutil -L -d sql:/path/to/certdb
certutil: function failed: security library: bad database.

This error typically occurs when your certificate database (cert8.db/key3.db or cert9.db/key4.db) is corrupted or inaccessible.

  • Improper shutdown during database operations
  • File permission issues
  • Database schema version mismatch
  • Partial database migrations

First verify the database integrity:

$ ls -l /path/to/certdb/
total 1024
-rw------- 1 user user 65536 Jan 1 10:00 cert9.db
-rw------- 1 user user 16384 Jan 1 10:00 key4.db
-rw------- 1 user user  8192 Jan 1 10:00 pkcs11.txt

Check file permissions match the executing user.

Method 1: Database Recovery

Try exporting and reimporting certificates:

$ certutil -L -d sql:/path/to/certdb -f password.txt > certs.txt
$ rm /path/to/certdb/*.db
$ certutil -N -d sql:/path/to/certdb
$ while read line; do
    certutil -A -d sql:/path/to/certdb -n "$(echo $line | cut -d' ' -f1)" \
    -t "$(echo $line | cut -d' ' -f2)" -i "$(echo $line | cut -d' ' -f3)"
  done < certs.txt

Method 2: Schema Migration

For legacy to SQL migration:

$ certutil --convert-legacy-db -d /path/to/legacy_db -f password.txt \
  --new-d /path/to/new_sql_db

Method 3: Full Reset

As last resort (loses all certificates):

$ rm /path/to/certdb/*.db
$ certutil -N -d sql:/path/to/certdb
  • Regularly back up certificate databases
  • Use dbm instead of sql format for simpler recovery
  • Implement proper file locking in scripts

Enable verbose output:

$ certutil -L -d sql:/path/to/certdb -v

Check NSS logs at ~/.netscape/nss.log

The certutil error occurs when the Network Security Services (NSS) database becomes corrupted or inaccessible. This typically happens in these scenarios:

  • Improper shutdown during database operations
  • File permission changes
  • Manual modification of .db files
  • Version incompatibility

First verify the database integrity:

certutil -L -d sql:/path/to/certdb
# or for legacy db format:
certutil -L -d /path/to/certdb

If you receive the "bad database" error, proceed with these recovery steps.

Method 1: Database Verification and Repair

Use the NSS dbverify tool:

dbverify cert8.db
# or for SQL format:
dbverify cert9.db

For key database files:

dbverify key3.db
dbverify key4.db

Method 2: Creating a New Database

If repair fails, create a fresh database and import certificates:

mkdir ~/newcertdb
certutil -N -d sql:~/newcertdb
certutil -A -n "My Cert" -t "CT,," -i certificate.pem -d sql:~/newcertdb

Using pk12util for Backup Restoration

If you have PKCS#12 backups:

pk12util -i backup.p12 -d sql:/path/to/newdb -k certdb.pw -W p12password

Manual SQLite Recovery (for SQL format)

For SQL-formatted databases:

sqlite3 cert9.db ".dump" > certdump.sql
sqlite3 newcert9.db < certdump.sql
  • Regularly backup NSS databases with pk12util
  • Use proper shutdown procedures
  • Maintain consistent file permissions
  • Keep NSS tools updated

When troubleshooting:

  • Don't modify .db files directly with external tools
  • Avoid mixing SQL and legacy formats
  • Ensure consistent environment variables (DBLIB, CERTDIR)
  • Verify all dependent files exist (cert8.db, key3.db, secmod.db)