--- a/toolkit/modules/CertUtils.jsm

+++ b/toolkit/modules/CertUtils.jsm

@@ -170,17 +170,19 @@ this.checkCert =

   issuerCert = issuerCert.QueryInterface(Ci.nsIX509Cert3);

   var tokenNames = issuerCert.getAllTokenNames({});

   if (!tokenNames || !tokenNames.some(isBuiltinToken))

     throw new Ce(certNotBuiltInErr, Cr.NS_ERROR_ABORT);

 }

 function isBuiltinToken(tokenName) {

-  return tokenName == "Builtin Object Token";

+  return tokenName == "Builtin Object Token" ||

+         tokenName == "Default Trust" ||

+         tokenName == "System Trust";

 }

 /**

  * This class implements nsIBadCertListener.  Its job is to prevent "bad cert"

  * security dialogs from being shown to the user.  It is better to simply fail

  * if the certificate is bad. See bug 304286.

  *

  * @param  aAllowNonBuiltInCerts (optional)