I was attempting to view the certificate for my FreeIPA server:
$ certutil -L -n 'IPA CA' -d /etc/dirsrv/slapd-FREEIPA-OSRIC-NET/
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
That had me worried. Was my cert/key database corrupt? Turns out, I just didn’t have permission to read the files. It worked when I tried it with sudo:
$ sudo certutil -L -n 'IPA CA' -d /etc/dirsrv/slapd-FREEIPA-OSRIC-NET/
That produced the expected output.
The old, unsupported format error is produced in a variety of cases and is often not helpful or informative. Permissions are just one reason why you might run into this message. Other reasons I’ve found include specifying a directory that does not contain the expected cert database files (i.e. cert8.db, key3.db, and secmod.db), or specifying a directory that does not exist.
I also received the same error message when using pk12util, e.g.:
# sudo pk12util -i -d /etc/dirsrv/slapd-FREEIPA-OSRIC-NET /root/cacert.p12I thought that the problem was that I had left out an argument (-n, the nickname of the cert and key). The following gave me a different error:
# sudo pk12util -i -n Server-Cert -d /etc/dirsrv/slapd-FREEIPA-OSRIC-NET /root/cacert.p12Enter Password or Pin for "NSS Certificate DB":pk12util: File Open failed: -n: PR_FILE_NOT_FOUND_ERROR: File not found
I looked at the NSS tools : pk12util reference and found a list of error codes. I checked to see which error I had received:
# echo $?10
That corresponds to 10 – File initialization error.
And examining the error message more closely, I can see it is looking for a file named
-n.Looking at the examples on the NSS tools : pk12util reference, I can see that the PKCS#12 input file argument should be included immediately after the
-iflag, which makes sense. The following worked:# sudo pk12util -i /root/cacert.p12 -n 'Server-Cert cert-pki-ca' -d /etc/dirsrv/slapd-FREEIPA-OSRIC-NET/