diff --git a/security/nss/lib/dev/devobject.c b/security/nss/lib/dev/devobject.c
index fe1b2249d4d..09a25a64031 100644
--- a/security/nss/lib/dev/devobject.c
+++ b/security/nss/lib/dev/devobject.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devobject.c,v $ $Revision: 1.21 $ $Date: 2002-03-07 23:21:32 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: devobject.c,v $ $Revision: 1.22 $ $Date: 2002-04-03 19:22:11 $ $Name:  $";
 #endif /* DEBUG */
 
 #ifndef DEV_H
@@ -68,6 +68,7 @@ static const char CVS_ID[] = "@(#) $RCSfile: devobject.c,v $ $Revision: 1.21 $ $
 #ifdef NSS_3_4_CODE
 #include "pkim.h" /* for cert decoding */
 #include "pk11func.h" /* for PK11_HasRootCerts */
+#include "pki3hack.h" /* for STAN_ForceCERTCertificateUpdate */
 #endif
 
 /* The number of object handles to grab during each call to C_FindObjects */
@@ -559,6 +560,14 @@ retrieve_cert(NSSToken *t, nssSession *session, CK_OBJECT_HANDLE h, void *arg)
 	/* XXX Fix this! */
 	nssListIterator_Destroy(cert->object.instances);
 	cert->object.instances = nssList_CreateIterator(cert->object.instanceList);
+	/* The cert was already discovered.  If it was made into a 
+	 * CERTCertificate, we need to update it here, because we have found
+	 * another instance of it.  This new instance may cause the slot
+	 * and nickname fields of the cert to change.
+	 */
+	if (cert->decoding && inCache) {
+	    (void)STAN_ForceCERTCertificateUpdate(cert);
+	}
     }
     if (!inCache) {
 	nssrv = (*search->callback)(cert, search->cbarg);
diff --git a/security/nss/lib/pki/pki3hack.c b/security/nss/lib/pki/pki3hack.c
index 4fc1ba90c3e..fbbe67a9884 100644
--- a/security/nss/lib/pki/pki3hack.c
+++ b/security/nss/lib/pki/pki3hack.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.45 $ $Date: 2002-03-15 19:23:10 $ $Name:  $";
+static const char CVS_ID[] = "@(#) $RCSfile: pki3hack.c,v $ $Revision: 1.46 $ $Date: 2002-04-03 19:22:14 $ $Name:  $";
 #endif /* DEBUG */
 
 /*
@@ -888,6 +888,9 @@ fill_CERTCertificateFields(NSSCertificate *c, CERTCertificate *cc, PRBool forced
 	}
     } else if (instance) {
 	/* slot */
+	if (cc->slot) {
+	    PK11_FreeSlot(cc->slot);
+	}
 	cc->slot = PK11_ReferenceSlot(instance->token->pk11slot);
 	cc->ownSlot = PR_TRUE;
 	/* pkcs11ID */
@@ -932,6 +935,12 @@ stan_GetCERTCertificate(NSSCertificate *c, PRBool forceUpdate)
     return cc;
 }
 
+NSS_IMPLEMENT CERTCertificate *
+STAN_ForceCERTCertificateUpdate(NSSCertificate *c)
+{
+    return stan_GetCERTCertificate(c, PR_TRUE);
+}
+
 NSS_IMPLEMENT CERTCertificate *
 STAN_GetCERTCertificate(NSSCertificate *c)
 {
diff --git a/security/nss/lib/pki/pki3hack.h b/security/nss/lib/pki/pki3hack.h
index 2772f6c74ef..8aae79cece8 100644
--- a/security/nss/lib/pki/pki3hack.h
+++ b/security/nss/lib/pki/pki3hack.h
@@ -35,7 +35,7 @@
 #define PKINSS3HACK_H
 
 #ifdef DEBUG
-static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.8 $ $Date: 2002-03-14 04:12:25 $ $Name:  $";
+static const char PKINSS3HACK_CVS_ID[] = "@(#) $RCSfile: pki3hack.h,v $ $Revision: 1.9 $ $Date: 2002-04-03 19:22:15 $ $Name:  $";
 #endif /* DEBUG */
 
 #ifndef NSSDEVT_H
@@ -110,6 +110,9 @@ STAN_RemoveModuleFromDefaultTrustDomain
   SECMODModule *module
 );
 
+NSS_EXTERN CERTCertificate *
+STAN_ForceCERTCertificateUpdate(NSSCertificate *c);
+
 NSS_EXTERN CERTCertificate *
 STAN_GetCERTCertificate(NSSCertificate *c);