diff --git a/lib/certhigh/certvfy.c b/lib/certhigh/certvfy.c
--- a/lib/certhigh/certvfy.c
+++ b/lib/certhigh/certvfy.c
@@ -42,23 +42,16 @@ checkKeyParams(const SECAlgorithmID *sig
 {
     SECStatus rv;
     SECOidTag sigAlg;
     SECOidTag curve;
     PRUint32 policyFlags = 0;
     PRInt32 minLen, len;
 
     sigAlg = SECOID_GetAlgorithmTag(sigAlgorithm);
-    rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);
-    if (rv == SECSuccess &&
-        !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
-        PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
-        return SECFailure;
-    }
-
     switch (sigAlg) {
         case SEC_OID_ANSIX962_ECDSA_SHA1_SIGNATURE:
         case SEC_OID_ANSIX962_ECDSA_SHA224_SIGNATURE:
         case SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE:
         case SEC_OID_ANSIX962_ECDSA_SHA384_SIGNATURE:
         case SEC_OID_ANSIX962_ECDSA_SHA512_SIGNATURE:
             if (key->keyType != ecKey) {
                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
@@ -126,16 +119,23 @@ checkKeyParams(const SECAlgorithmID *sig
             }
 
             if (len < minLen) {
                 return SECFailure;
             }
 
             return SECSuccess;
         case SEC_OID_ANSIX9_DSA_SIGNATURE:
+            rv = NSS_GetAlgorithmPolicy(sigAlg, &policyFlags);
+            if (rv == SECSuccess &&
+                !(policyFlags & NSS_USE_ALG_IN_CERT_SIGNATURE)) {
+                PORT_SetError(SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED);
+                return SECFailure;
+            }
+            /* fall through */
         case SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST:
         case SEC_OID_BOGUS_DSA_SIGNATURE_WITH_SHA1_DIGEST:
         case SEC_OID_SDN702_DSA_SIGNATURE:
         case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA224_DIGEST:
         case SEC_OID_NIST_DSA_SIGNATURE_WITH_SHA256_DIGEST:
             if (key->keyType != dsaKey) {
                 PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
                 return SECFailure;