cURL / Mailing Lists / curl-library / Single Mail


Convert your local Firefox CA certs to PEM

From: Daniel Stenberg <>
Date: Thu, 21 Aug 2008 10:52:06 +0200 (CEST)


Nelson Bolyard on the mozilla dev-tech-crypto mailing list posted a fancy
script which I've taken the liberty to edit slightly and decided I'd let you
guys have a peek!

This script converts the cert database of your local Firefox installation on a
*nix system to a PEM file suitable for use by GnuTLS or OpenSSL based
programs. Including of course such libcurl based apps.

The script uses the 'certutil' tool which is provided by the NSS project. In
Debian it ships with the 'libnss3-tools' package.

db=`ls -1d $HOME/.mozilla/firefox/*default`

certutil -L -h 'Builtin Object Token' -d $db | \
grep ' *[CcGTPpu]*,[CcGTPpu]*,[CcGTPpu]* *$' | \
sed -e 's/ *[CcGTPpu]*,[CcGTPpu]*,[CcGTPpu]* *$//' -e 's/\(.*\)/"\1"/' | \
sort | \
while read nickname; \
  do echo $nickname | sed -e "s/Builtin Object Token://g"; \
eval certutil -d $db -L -n "$nickname" -a ; \

Funnily enough, this does not create an indentical file like that of 'make
ca-bundle' (only almost) but I'm working with the NSS guys to figure out why
and if there's a flaw somewhere.

Received on 2008-08-21