The test on line 947 of PK11Finder.c is if(certExists). Actually, certExists
tells whether the associated key exists, which it will for a user cert. So
generally importing user certs will fail.
I removed the check. It looks like NSS > 3.3 will silently ignore the second
Fixed in mozilla/security/jss/org/mozilla/jss/manage/PK11Finder.c on
JSS_3_1_BRANCH (18.104.22.168) and trunk (1.7).
Michelle verified that she can now import a cert into CMS. To be really sure
that this was the right fix, CMS should try it out with hardware, CA cert
renewal, and all the other wacky situations they run into.