Older Policy Server is using different version of NSS certutil.

When Policy Server is upgraded to a new version, the cert8.db was no longer compatible.

How can the certificate from the older cert8.db so it can be imported to new cert8.db?

Release : 12.8.03

Component : Policy Server

From the older Policy Server, export the cert using the older version of certutil.

1. Open cmd or bash and cd to the directory containing the cert8.db file.
2. list the certificate aliases in the cert8.db
    certutil -L -d .
3. Identify which CA cert alias you need.
4. xport the CA alias to exportedcacert.crt (this will be in binary format)
    certutil -L -d . -n <CA Alias> -r > exportedcacert.crt

You can copy the exportedcacert.crt to the new policy server and generate new cert8.db

Mozilla NSS Tools