diff -up nss/lib/pki/tdcache.c.fix_deadlock nss/lib/pki/tdcache.c
--- nss/lib/pki/tdcache.c.fix_deadlock	2017-01-13 17:10:36.055530248 +0100
+++ nss/lib/pki/tdcache.c	2017-01-13 17:14:04.015338438 +0100
@@ -374,13 +374,19 @@ struct token_cert_dtor {
     PRUint32 numCerts, arrSize;
 };
 
-static void
-remove_token_certs(const void *k, void *v, void *a)
+static void cert_iter(const void *k, void *v, void *a)
 {
+    nssList *certList = (nssList *)a;
     NSSCertificate *c = (NSSCertificate *)k;
+    nssList_Add(certList, nssCertificate_AddRef(c));
+}
+
+static void
+remove_token_certs(NSSCertificate *c, struct token_cert_dtor *dtor) 
+{
     nssPKIObject *object = &c->object;
-    struct token_cert_dtor *dtor = a;
     PRUint32 i;
+
     nssPKIObject_AddRef(object);
     nssPKIObject_Lock(object);
     for (i = 0; i < object->numInstances; i++) {
@@ -416,6 +422,11 @@ nssTrustDomain_RemoveTokenCertsFromCache
     NSSCertificate **certs;
     PRUint32 i, arrSize = 10;
     struct token_cert_dtor dtor;
+    nssList *certList;
+    PRStatus nspr_rv = PR_FAILURE;
+    nssListIterator *iter;
+    NSSCertificate *c;
+
     certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
     if (!certs) {
         return PR_FAILURE;
@@ -425,8 +436,33 @@ nssTrustDomain_RemoveTokenCertsFromCache
     dtor.certs = certs;
     dtor.numCerts = 0;
     dtor.arrSize = arrSize;
+
+    certList = nssList_Create(NULL, PR_FALSE);
+    if (!certList) {
+	goto loser;
+    }
+    /* fetch the list of certs in the cache */
+    PZ_Lock(td->cache->lock);
+    nssHash_Iterate(td->cache->issuerAndSN, cert_iter, (void *)certList);
+    PZ_Unlock(td->cache->lock);
+
+    /* find the certs that match this token without olding the td cache lock */
+    iter=nssList_CreateIterator(certList);
+    if (!iter) {
+	goto loser;
+    }
+    for (c  = (NSSCertificate *)nssListIterator_Start(iter);
+	 c != (NSSCertificate *)NULL;
+	 c  = (NSSCertificate *)nssListIterator_Next(iter)) {
+	remove_token_certs( c, &dtor);
+    }
+    nssListIterator_Finish(iter);
+    nssListIterator_Destroy(iter);
+    nssList_Destroy(certList);
+    certList = NULL;
+
+    /* now remove theose certs attached to this token */
     PZ_Lock(td->cache->lock);
-    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, &dtor);
     for (i = 0; i < dtor.numCerts; i++) {
         if (dtor.certs[i]->object.numInstances == 0) {
             nssTrustDomain_RemoveCertFromCacheLOCKED(td, dtor.certs[i]);
@@ -437,14 +473,22 @@ nssTrustDomain_RemoveTokenCertsFromCache
         }
     }
     PZ_Unlock(td->cache->lock);
+
+    /* clean up */
     for (i = 0; i < dtor.numCerts; i++) {
         if (dtor.certs[i]) {
             STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
             nssCertificate_Destroy(dtor.certs[i]);
         }
     }
+
+    nspr_rv = PR_SUCCESS;
+loser:
+    if (certList) {
+	nssList_Destroy(certList);
+    }
     nss_ZFreeIf(dtor.certs);
-    return PR_SUCCESS;
+    return nspr_rv;
 }
 
 NSS_IMPLEMENT PRStatus
@@ -1058,14 +1102,6 @@ nssTrustDomain_GetCertByDERFromCache(
     return rvCert;
 }
 
-static void
-cert_iter(const void *k, void *v, void *a)
-{
-    nssList *certList = (nssList *)a;
-    NSSCertificate *c = (NSSCertificate *)k;
-    nssList_Add(certList, nssCertificate_AddRef(c));
-}
-
 NSS_EXTERN NSSCertificate **
 nssTrustDomain_GetCertsFromCache(
     NSSTrustDomain *td,