I did some more testing and found that the cert8.db file contains old certificate information even if the certificate is not in the certutil output. Additionally, not all of the possible certs start with CN=. So, my test was missing certs and setting certs that were not really in use. So I am back to doing a pattern match to extract the certificate information.
Now I parse through the certutil output and filter via the following:
foreach my $line (@certuil_output) {
my $cert;
my $trust;
if ($line =~ /(^$|SSL,S\/MIME,JAR\/XPI|Certificate Nickname)/i) {
+next; }
if ($line =~ /(.*)\s+(\w+,\w+,\w+)$/) {
$cert = $1;
$trust = $2
} elsif ($line =~ /(.*)\s+,,\s+$/) {
$cert = $1;
$trust = “,,”;
} else {
print “Unmatched line: $line\n”;
}
if ($cert && $trust) { print "$cert\t$trust\n"; }
}
So unless there is a better way, this is what I have.