Older Policy Server is using different version of NSS certutil.

When Policy Server is upgraded to a new version, the cert8.db/cert9.db was no longer compatible.

How can the certificate from the older cert8.db/cert9.db so it can be imported to new cert8.db/cert9.db?

All supported Siteminder releases

From the older Policy Server, export the cert using the older version of certutil.

1. Open cmd or bash and cd to the directory containing the cert8.db/cert9.db file.

2. list the certificate aliases in the cert8.db/cert9.db
    certutil -L  -d <Path to the database file cert8.db/cert9.db>

3. Identify which CA cert alias you need.

4. export the CA alias to exportedcacert.crt (this will be in binary format)
    certutil -L -d . -n <CA Alias> -r > exportedcacert.crt 

The above will generate the certificate in binary format.

You can convert it to pem format to get it ready to be imported to the cert8.db/cert9.db by using the below openssl command 

openssl x509 -inform der -in certificate.cer -out certificate.crt

You can copy the certificate.crt to the new policy server and import it to the new cert8.db/cert9.db using 

For server certificate use --> "siteminder_home\bin\certutil.exe"  -A -n "ServerCert" -t "P,P,P" -i Server.crt -d <Path to the database file cert8.db/cert9.db>

For Root and intermediate certificates use --> "siteminder_home\bin\certutil.exe"  -A -n "RootCert" -t "C,C,C" -i RootCA.crt -d <Path to the database file cert8.db/cert9.db>

Mozilla NSS Tools