Comment 27 for bug 543183

Test procedure... First we fetch a signing cert (just an example; it doesn't matter which it is), import it into a new application-specific NSS DB, and it works. We remove it from the app's DB, and it doesn't.
All is well so far...

[root@macbook dwmw2]# curl -k https://www.cacert.org/certs/root.crt > cacert.crt
  % Total % Received % Xferd Average Speed Time Time Time Current
                                 Dload Upload Total Spent Left Speed
102 2569 102 2569 0 0 10740 0 --:--:-- --:--:-- --:--:-- 51380
[root@macbook dwmw2]# mkdir /tmp/nssdb
[root@macbook dwmw2]# certutil -d /tmp/nssdb -t TC,TC,TC -E -i cacert.crt -n cacert
[root@macbook dwmw2]# /usr/lib64/nss/unsupported-tools/tstclnt -d /tmp/nssdb -h www.cacert.org -p 443
subject DN: <email address hidden>,CN=www.cacert.org,O=CAcert Inc.,L=Sydney,ST=NSW,C=AU
issuer DN: <email address hidden>,CN=CA Cert Signing Authority,OU=http://www.cacert.org,O=Root CA
0 cache hits; 1 cache misses, 0 cache not reusable
0 stateless resumes
^C
[root@macbook dwmw2]# certutil -d /tmp/nssdb -D -n cacert
[root@macbook dwmw2]# /usr/lib64/nss/unsupported-tools/tstclnt -d /tmp/nssdb -h www.cacert.org -p 443
tstclnt: read from socket failed: Peer's Certificate issuer is not recognized.