Removing one of two certificates with equal nicknames

Question

I have two certificates installed:

kirrun@kirNote ~ [1197]% certutil -d sql:/home/kirrun/.pki/nssdb -L

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CAcert WoT User's CA Cert Signing Authority ID               u,u,u
CAcert WoT User's CA Cert Signing Authority ID               u,u,u

As you can see both certificates have the same nickname, but they obviously have different serial numbers. So, I want to remove one of them. It seems to me that certutil can only remove certificates by nickname.

The question is: how do I remove exactly one of those two certificates (and not a random one but the one I want to remove)?

Answer 1

Easiest way? Remove both and reinstall the one you want?

https://developer.mozilla.org/en-US/docs/NSS_reference/NSS_tools_:_certutil

Answer 2

So, I finally managed to do this using Chromium's GUI (it's in Settings > Show advanced settings > HTTPS/SSL > Manage certificates).

This works if using a GUI is an option for you and if the database in question is sql:~/.pki/nssdb. If it's elsewhere you'll probably have to move directories around. If it's not sql, then using Firefox's GUI might be an option, but note that it stores its cert db in ~/.mozilla/firefox/<profile> (moving files around again) and, unfortunatelly, it's not working for me: when I click “delete” the record disappears from the list but, actually, nothing changes in the db.

I'm still looking for a distro-agnostic way to do this from the console.