Comment 1 for bug 838322

It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.

The roots are:
Staat der Nederlanden Root CA
  (successfully exempted)
Staat der Nederlanden Root CA - G2
  (accidentally included)

The line of code is this one:

if (!strcmp(node->cert->issuerName,
    "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...

This check needs to include both the names above.

Test site:
https://sha2.diginotar.nl/

Gerv