diff --git a/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch b/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch
new file mode 100644
index 0000000..d7aeaac
--- /dev/null
+++ b/SOURCES/nss-util-3.36-ipsec_cert_vfy.patch
@@ -0,0 +1,124 @@
+diff --git a/lib/util/secoid.c b/lib/util/secoid.c
+--- a/lib/util/secoid.c
++++ b/lib/util/secoid.c
+@@ -117,17 +117,19 @@ const char __nss_util_version[] = "Versi
+ /* for DH algorithm */
+ /* { iso(1) member-body(2) us(840) x9-57(10046) number-type(2) } */
+ /* need real OID person to look at this, copied the above line
+  * and added 6 to second to last value (and changed '4' to '2' */
+ #define ANSI_X942_ALGORITHM 0x2a, 0x86, 0x48, 0xce, 0x3e, 0x2
+ 
+ #define VERISIGN 0x60, 0x86, 0x48, 0x01, 0x86, 0xf8, 0x45
+ 
+-#define PKIX 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07
++#define INTERNET_SECURITY_MECH 0x2b, 0x06, 0x01, 0x05, 0x05
++
++#define PKIX INTERNET_SECURITY_MECH, 0x07
+ #define PKIX_CERT_EXTENSIONS PKIX, 1
+ #define PKIX_POLICY_QUALIFIERS PKIX, 2
+ #define PKIX_KEY_USAGE PKIX, 3
+ #define PKIX_ACCESS_DESCRIPTION PKIX, 0x30
+ #define PKIX_OCSP PKIX_ACCESS_DESCRIPTION, 1
+ #define PKIX_CA_ISSUERS PKIX_ACCESS_DESCRIPTION, 2
+ 
+ #define PKIX_ID_PKIP PKIX, 5
+@@ -355,16 +357,17 @@ CONST_OID x509CertificatePolicies[] = { 
+ CONST_OID x509PolicyMappings[] = { ID_CE_OID, 33 };
+ CONST_OID x509AuthKeyID[] = { ID_CE_OID, 35 };
+ CONST_OID x509PolicyConstraints[] = { ID_CE_OID, 36 };
+ CONST_OID x509ExtKeyUsage[] = { ID_CE_OID, 37 };
+ CONST_OID x509FreshestCRL[] = { ID_CE_OID, 46 };
+ CONST_OID x509InhibitAnyPolicy[] = { ID_CE_OID, 54 };
+ 
+ CONST_OID x509CertificatePoliciesAnyPolicy[] = { ID_CE_OID, 32, 0 };
++CONST_OID x509ExtKeyUsageAnyUsage[] = { ID_CE_OID, 37, 0 };
+ 
+ CONST_OID x509AuthInfoAccess[] = { PKIX_CERT_EXTENSIONS, 1 };
+ CONST_OID x509SubjectInfoAccess[] = { PKIX_CERT_EXTENSIONS, 11 };
+ 
+ CONST_OID x509SIATimeStamping[] = { PKIX_ACCESS_DESCRIPTION, 0x03 };
+ CONST_OID x509SIACaRepository[] = { PKIX_ACCESS_DESCRIPTION, 0x05 };
+ 
+ /* pkcs 12 additions */
+@@ -449,18 +452,23 @@ CONST_OID pkixRegInfoUTF8Pairs[] = { PKI
+ CONST_OID pkixRegInfoCertReq[] = { PKIX_ID_REGINFO, 2 };
+ 
+ CONST_OID pkixExtendedKeyUsageServerAuth[] = { PKIX_KEY_USAGE, 1 };
+ CONST_OID pkixExtendedKeyUsageClientAuth[] = { PKIX_KEY_USAGE, 2 };
+ CONST_OID pkixExtendedKeyUsageCodeSign[] = { PKIX_KEY_USAGE, 3 };
+ CONST_OID pkixExtendedKeyUsageEMailProtect[] = { PKIX_KEY_USAGE, 4 };
+ CONST_OID pkixExtendedKeyUsageTimeStamp[] = { PKIX_KEY_USAGE, 8 };
+ CONST_OID pkixOCSPResponderExtendedKeyUsage[] = { PKIX_KEY_USAGE, 9 };
++/* 17 replaces 5 + 6 + 7 (declared obsolete in RFC 4945) */
++CONST_OID pkixExtendedKeyUsageIPsecIKE[] = { PKIX_KEY_USAGE, 17 };
+ CONST_OID msExtendedKeyUsageTrustListSigning[] = { MS_CRYPTO_EKU, 1 };
+ 
++CONST_OID ipsecIKEEnd[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x01 };
++CONST_OID ipsecIKEIntermediate[] = { INTERNET_SECURITY_MECH, 0x08, 0x02, 0x02 };
++
+ /* OIDs for Netscape defined algorithms */
+ CONST_OID netscapeSMimeKEA[] = { NETSCAPE_ALGS, 0x01 };
+ 
+ /* Fortezza algorithm OIDs */
+ CONST_OID skipjackCBC[] = { MISSI, 0x04 };
+ CONST_OID dhPublicKey[] = { ANSI_X942_ALGORITHM, 0x1 };
+ 
+ CONST_OID idea_CBC[] = { ASCOM_IDEA_ALG, 2 };
+@@ -1749,16 +1757,32 @@ const static SECOidData oids[SEC_OID_TOT
+     ODE(SEC_OID_TLS_FFDHE_8192,
+         "TLS FFDHE 8192-bit key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+     ODE(SEC_OID_TLS_DHE_CUSTOM,
+         "TLS DHE custom group key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+     OD(curve25519, SEC_OID_CURVE25519,
+        "Curve25519", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+     ODE(SEC_OID_TLS13_KEA_ANY,
+         "TLS 1.3 fake key exchange", CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
++
++    OD(x509ExtKeyUsageAnyUsage, SEC_OID_X509_ANY_EXT_KEY_USAGE,
++       "Any Extended Key Usage",
++       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
++    OD(pkixExtendedKeyUsageIPsecIKE,
++       SEC_OID_EXT_KEY_USAGE_IPSEC_IKE,
++       "IPsec IKE Certificate",
++       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
++    OD(ipsecIKEEnd,
++       SEC_OID_IPSEC_IKE_END,
++       "IPsec IKE End",
++       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
++    OD(ipsecIKEIntermediate,
++       SEC_OID_IPSEC_IKE_INTERMEDIATE,
++       "IPsec IKE Intermediate",
++       CKM_INVALID_MECHANISM, INVALID_CERT_EXTENSION),
+ };
+ 
+ /* PRIVATE EXTENDED SECOID Table
+  * This table is private. Its structure is opaque to the outside.
+  * It is indexed by the same SECOidTag as the oids table above.
+  * Every member of this struct must have accessor functions (set, get)
+  * and those functions must operate by value, not by reference.
+  * The addresses of the contents of this table must not be exposed
+diff --git a/lib/util/secoidt.h b/lib/util/secoidt.h
+--- a/lib/util/secoidt.h
++++ b/lib/util/secoidt.h
+@@ -489,16 +489,21 @@ typedef enum {
+     SEC_OID_TLS_FFDHE_6144 = 352,
+     SEC_OID_TLS_FFDHE_8192 = 353,
+     SEC_OID_TLS_DHE_CUSTOM = 354,
+ 
+     SEC_OID_CURVE25519 = 355,
+ 
+     SEC_OID_TLS13_KEA_ANY = 356,
+ 
++    SEC_OID_X509_ANY_EXT_KEY_USAGE = 357,
++    SEC_OID_EXT_KEY_USAGE_IPSEC_IKE = 358,
++    SEC_OID_IPSEC_IKE_END = 359,
++    SEC_OID_IPSEC_IKE_INTERMEDIATE = 360,
++
+     SEC_OID_TOTAL
+ } SECOidTag;
+ 
+ #define SEC_OID_SECG_EC_SECP192R1 SEC_OID_ANSIX962_EC_PRIME192V1
+ #define SEC_OID_SECG_EC_SECP256R1 SEC_OID_ANSIX962_EC_PRIME256V1
+ #define SEC_OID_PKCS12_KEY_USAGE SEC_OID_X509_KEY_USAGE
+ 
+ /* fake OID for DSS sign/verify */
diff --git a/SPECS/nss-util.spec b/SPECS/nss-util.spec
index f170c87..0b10a2c 100644
--- a/SPECS/nss-util.spec
+++ b/SPECS/nss-util.spec
@@ -5,7 +5,7 @@
 Summary:          Network Security Services Utilities Library
 Name:             nss-util
 Version:          3.36.0
-Release:          1%{?dist}
+Release:          1.1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -42,6 +42,8 @@ Patch8: nss-util-3.19.1-tls12-mechanisms.patch
 # To revert the change in:
 # https://bugzilla.mozilla.org/show_bug.cgi?id=1377940
 Patch9: nss-util-sql-default.patch
+# revert when rebase to 3.40
+Patch10: nss-util-3.36-ipsec_cert_vfy.patch
 
 %description
 Utilities for Network Security Services and the Softoken module
@@ -67,6 +69,7 @@ Header and library files for doing development with Network Security Services.
 %patch8 -p1 -b .tls12_mechs
 pushd nss
 %patch9 -p1 -R -b .sql-default
+%patch10 -p1 -b .ipsec_vfy
 popd
 
 
@@ -240,6 +243,9 @@ done
 %{_includedir}/nss3/templates/templates.c
 
 %changelog
+* Mon Nov 12 2018 Bob Relyea <rrelyea@redhat.com> - 3.36.0-1.1
+- Update the cert verify code to allow a new ipsec usage and follow RFC 4945
+
 * Mon Mar  5 2018 Daiki Ueno <dueno@redhat.com> - 3.36.0-1
 - Rebase to NSS 3.36