Comment 3 for bug 1586538

It seems that CERTDB_TERMINAL_RECORD being set to true means that the trust record is authoritative, at which point it checks for either CERTDB_TRUSTED or CERTDB_TRUSTED_CA being true. If that's the case, then the certificate is trusted, otherwise it is distrusted.

Throughout lib/certhigh/certvfy.c you'll see variations on:

case certUsageSSLCA:
    flags = trust.sslFlags;
    if (flags & CERTDB_TERMINAL_RECORD) { /* the trust record is
                                           * authoritative */
        if ((flags & (CERTDB_TRUSTED | CERTDB_TRUSTED_CA)) == 0) {
            /* don't trust this cert */
            *failedFlags = flags;
            return SECFailure;
        }
    }
    break;

The -t p option sets CERTDB_TERMINAL_RECORD while the -t P and -t C set CERTDB_TRUSTED and CERTDB_TRUSTED_CA respectively. Without the latter two (that is, with just -t p ) the certificate is explicitly distrusted as per the latest online certutil documentation.

It seems that the src man pages haven't been updated. An older version (from Sept 2014) at https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Tools/certutil agrees with the current man page in the src package.