diff --git a/security/manager/ssl/src/CertVerifier.cpp b/security/manager/ssl/src/CertVerifier.cpp
index 5d35d9b24911..39b54c403a74 100644
--- a/security/manager/ssl/src/CertVerifier.cpp
+++ b/security/manager/ssl/src/CertVerifier.cpp
@@ -138,6 +138,21 @@ CertVerifier::VerifyCert(CERTCertificate * cert,
     *evOidPolicy = SEC_OID_UNKNOWN;
   }
 
+  switch(usage){
+    case certificateUsageSSLClient:
+    case certificateUsageSSLServer:
+    case certificateUsageSSLCA:
+    case certificateUsageEmailSigner:
+    case certificateUsageEmailRecipient:
+    case certificateUsageObjectSigner:
+    case certificateUsageStatusResponder:
+      break;
+    default:
+      NS_WARNING("Calling VerifyCert with invalid usage");
+      PORT_SetError(SEC_ERROR_INVALID_ARGS);
+      return SECFailure;
+  }
+
   ScopedCERTCertList trustAnchors;
   SECStatus rv;
   SECOidTag evPolicy = SEC_OID_UNKNOWN;
diff --git a/security/manager/ssl/src/CertVerifier.h b/security/manager/ssl/src/CertVerifier.h
index 470cdde977eb..4eb267f0fced 100644
--- a/security/manager/ssl/src/CertVerifier.h
+++ b/security/manager/ssl/src/CertVerifier.h
@@ -25,6 +25,7 @@ public:
   // XXX: The localonly flag is ignored in the classic verification case
 
   // *evOidPolicy == SEC_OID_UNKNOWN means the cert is NOT EV
+  // Only one usage per verification is supported.
   SECStatus VerifyCert(CERTCertificate * cert,
                        const SECCertificateUsage usage,
                        const PRTime time,