Currently, the secmod db stores the full path of the nssckbi.dll which store built-in root CA certs. Secmod.db is in the profile, and the value stored in it for nssckbi.dll reflects the install location of the client version that created it (for 6.1 and higher). If someone which thus created a secmod.db with 6.1, installs 6.2 in a different directory than 6.1 (i.e., the new installation's nssckbi.dll doesn't replace the old nssckbi.dll), and uses this profile, then 6.2 will use the 6.1 version of nssckbi.dll The solution is to make sure that entries in secmod.db for nssckbi.dll are versioned. The result will be that the software will check that the nssckbi.dll is the most recent available: The requirement will be: The dll in secmod.db exists. its version in secmod.db must equal or higher than the currently executing version of the client ships with. If these requirements are not met, the secmod.db will be updated to reflect the version the currently executing client has. This will allows the root ca list to be has complete as possible. This may requires some NSS work as well for the secmod entry versioning.
*** Bug 104965 has been marked as a duplicate of this bug. ***
I believe this is a duplicate of NSS bug 147280. Because this one is PSM and the other is NSS, I'm not marking this one as a duplicate, but rather add a dependency. We should decide whether we are fine, once bug 147280 gets resolved.
*** This bug has been marked as a duplicate of 147280 ***