diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c

--- a/lib/certhigh/certvfy.c

+++ b/lib/certhigh/certvfy.c

@@ -42,23 +42,16 @@ checkKeyParams(const SECAlgorithmID *sig

 {

     SECStatus rv;

     SECOidTag sigAlg;

     SECOidTag curve;

     PRUint32 policyFlags = 0;

     PRInt32 minLen, len;

     sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);

-    rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);

-    if (rv == SECSuccess &&

-        !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {

-        PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);

-        return SECFailure;

-    }

-

     switch (sigAlg) {

         case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:

         case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:

         case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:

         case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:

         case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:

             if (key->keyType != ecKey) {

                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);

@@ -126,16 +119,23 @@ checkKeyParams(const SECAlgorithmID *sig

             }

             if (len < minLen) {

                 return SECFailure;

             }

             return SECSuccess;

         case SEC_OID_ANSIX9_DSA_SIGNATURE:

+            rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);

+            if (rv == SECSuccess &&

+                !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {

+                PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);

+                return SECFailure;

+            }

+            /* fall through */

         case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:

         case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:

         case SEC_OID_SDN702_DSA_SIGNATURE:

         case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:

         case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:

             if (key->keyType != dsaKey) {

                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);

                 return SECFailure;