Each certificate entry had 11 bytes of stuff in front of it (3.0x version) or 14 bytes (4.03 version) and had the short name of the CA tacked on at the end. I removed these by hand and checked the md5 checksum of each certificate against what Netscape said it was (and ran them all through SSLeay's asn1parse for good measure).
You can look at the Netscape 3.0x certificates or the 4.03 certificates.
Oh well, after a few requests I have codged together a little program to do this automatically. It's lame, be forewarned. You need berekely-db 1.85 and SSLeay 0.6.x or 0.8.1 (don't know if other versions will work). Here's the source. It creates a bunch of little files wherever you run it, each one with a der-encoded cert, plus it creates cert-index which is just the list of file names vs shortname so you know which is which. The offset is set up for NS 4.0x. Oh yeah and I've only compiled it on SunOS 4.1.3. No guarantees about your OS.
Okay, so you have some funky version of Netscape and are too lazy to figure out the offset of the certs in the database entries yourself. Just run this program, same caveat as the other code, and unless the format of these dbs changes drastically in the future it'll *tell* you the offset. Okay? Happy now?