Not having certutil handy, I don't really understand the sample you included in your post. Off hand, I would expect to extract the name from the CN field, but there are more than 1. Can you post sanitized versions of actual certs?

As for a more Perlish way, Firefox stores setting, preferences, etc. in a SQLite database. Look at DB::SQLite. Also, it might be easier to examine the DB if you install SQLite and use its generic client to explore the DB.

I am not trying to parse the actual certificates, just the simple certutil overview output I provided earlier to get the CN and Trust Level.

However, that is a great idea to use the DB::SQLite module. I will try this and see if I have any success.

Thanks!

I tried to generically connect via sqlite3 and was unsuccessful:

$ sqlite3 cert8.db
   SQLite version 3.3.6
   Enter ".help" for instructions
   sqlite> .tables
   Error: file is encrypted or is not a database
[download]

I did some research and it appears that sqlite3 may not be able to communicate with the stored format. However, I think I did find a work around. Basically, if I use the strings command on the cert8.db file, it will dump the contents of the db file on different lines and I can find the certificate names alone on a single from there. So I updated my code to:

my %certs;
my @stored_certs;

# Get stored certificates:
my $command = "strings $config{firefox_profile}/cert8.db";
open(OUTPUT , "-|", "$command");
while (my $line = <OUTPUT>){
    chomp $line;
    if ($line =~ /CN=/i) {
        $line =~ s/^!//g;
        $line =~ s/(^\s+|\s+$)//g;
        if (! $certs{$line}) { $certs{$line}{stored_in_firefox}++; }
    }
}
close OUTPUT;

# Get each stores certificate's trust level:
$command  = "certutil -L -d $config{firefox_profile}";
open(OUTPUT, "-|", "$command");
while (my $line = <OUTPUT>){
    chomp $line;
    push (@stored_certs, $line);
}

foreach my $cert (sort keys %certs) {
    foreach my $line (@stored_certs) {
        if ($line =~ /^$cert/) {
            $line =~ s/^$cert//;
            $line =~ s/(^\s+|\s+$)//;
            $lcerts{$cert}{trust_level} = $line;
        }
    }
}
[download]

I think this is good enough for now. Thanks again,

I did some more testing and found that the cert8.db file contains old certificate information even if the certificate is not in the certutil output. Additionally, not all of the possible certs start with CN=. So, my test was missing certs and setting certs that were not really in use. So I am back to doing a pattern match to extract the certificate information.

Now I parse through the certutil output and filter via the following:

foreach my $line (@certuil_output) {
    my $cert;
    my $trust;
    if ($line =~ /(^$|SSL,S\/MIME,JAR\/XPI|Certificate Nickname)/i) { 
+next; }
    if ($line =~ /(.*)\s+(\w+,\w+,\w+)$/) {
        $cert = $1;
        $trust = $2
    } elsif ($line =~ /(.*)\s+,,\s+$/) {
        $cert = $1;
        $trust = “,,”;
    } else {
        print “Unmatched line: $line\n”;
    }

    if ($cert && $trust) { print "$cert\t$trust\n"; }
}
[download]

So unless there is a better way, this is what I have.

But for the sake of [Perl] scripting. I thought it might be helpful -- see; mandatory, to actually know how to use certutil. As it would be otherwise pretty near impossible to respond with anything creative, or of much value. :)
Mozilla, has apparently hidden the previous link they offered for it's usage. But The WayBack Machine gave me a copy to view. So I'll share it here. :)

--Chris

The documentation for Firefox's certutil is alive and well at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil

I did not have any success with sqlite3, but thanks for the information.