Mozilla "certutil -L -n" - Print Certificate Info from cert8.db

Q

How to print out information from a certificate stored in cert8.db file?

✍: FYIcenter.com

A

If you want to print out information from a certificates stored in the "cert8.db" file created by Firefox 9, you can use the Mozilla "certutil -L -n" command as shown in this tutorial:

C:\fyicerter>\fyicerter\nss\bin\certutil -L 
-n "GeoTrust SSL CA"
-d C:\Users\fyicenter\AppData]Roaming\Mozilla\Firefox\Profiles\xxxx.default

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 145104 (0x236d0)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US"
        Validity:
            Not Before: Fri Feb 19 22:39:26 2010
            Not After : Tue Feb 18 22:39:26 2020
        Subject: "CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    90:b3:80:c1:e4:e5:46:ad:70:60:3d:ba:e5:14:dd:9e:
                    8a:5e:8b:75:5a:e6:ca:6d:41:a5:23:e8:39:85:26:7a:
                    a7:55:77:9a:48:a1:92:7e:3a:1e:1a:f1:27:ab:a3:4c:
                    ...
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Key Usage
            Critical: True
            Usages: Certificate Signing
                    CRL Signing

            Name: Certificate Subject Key ID
            Data:
                42:79:54:1b:61:cd:55:2b:3e:63:d5:3c:48:57:f5:9f:
                fb:45:ce:4a

            Name: Certificate Authority Key Identifier
            Key ID:
                c0:7a:98:68:8d:89:fb:ab:05:64:0c:11:7d:aa:7d:65:
                b8:ca:cc:4e

            Name: Certificate Basic Constraints
            Critical: True
            Data: Is a CA with a maximum path length of 0.

            Name: CRL Distribution Points
            URI: "http://crl.geotrust.com/crls/gtglobal.crl"

            Name: Authority Information Access
            Method: PKIX Online Certificate Status Protocol
            Location:
                URI: "http://ocsp.geotrust.com"

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        d4:ef:53:84:e8:1a:bd:a1:8b:04:c0:a9:f5:5f:a1:10:
        78:45:5d:b2:57:6a:4e:24:cb:65:4e:31:97:91:9a:d4:
        24:f8:e2:27:66:70:31:9c:c1:62:54:06:e7:97:1d:3a:
        ...
    Fingerprint (MD5):
        DF:F1:B7:6B:25:8D:BE:73:48:E3:76:68:97:A9:38:71
    Fingerprint (SHA1):
        78:0A:06:F6:E9:B4:06:1C:AD:0C:65:02:71:06:06:EB:53:5F:1C:26

    Certificate Trust Flags:
        SSL Flags:
        Email Flags:
        Object Signing Flags:

What you are getting from this tutorial:

  • '-n "GeoTrust SSL CA"' specifies the name of the certificate to print out.
  • This certificate is issued to "GeoTrust SSL CA" by "GeoTrust Global CA"
  • The information print out format is very similar to the "OpenSSL x509" command.

2012-08-01, 5844👍, 0💬