diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 58b5eb783991..53eef93d0940 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -2677,11 +2677,15 @@ UniqueCERTCertList FindClientCertificatesWithPrivateKeys() {
       PK11SlotInfo* slot = list->module->slots[i];
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
               ("    slot '%s'", PK11_GetSlotName(slot)));
-      // If this is the internal certificate/key slot, there may be many more
-      // certificates than private keys, so search by private keys.
-      if (internalSlot.get() == slot) {
+      // If this is the internal certificate/key slot or the slot on the
+      // builtin roots module, there may be many more certificates than private
+      // keys, so search by private keys (PK11_HasRootCerts will be true if the
+      // slot contains an object with the vendor-specific CK_CLASS
+      // CKO_NSS_BUILTIN_ROOT_LIST, which should only be the case for the NSS
+      // builtin roots module).
+      if (internalSlot.get() == slot || PK11_HasRootCerts(slot)) {
         MOZ_LOG(gPIPNSSLog, LogLevel::Debug,
-                ("    (looking at internal slot)"));
+                ("    (looking at internal/builtin slot)"));
         if (PK11_Authenticate(slot, true, nullptr) != SECSuccess) {
           MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("    (couldn't authenticate)"));
           continue;