diff --git a/mozilla/security/nss/lib/certdb/stanpcertdb.c b/mozilla/security/nss/lib/certdb/stanpcertdb.c
index d4d91aae16c..2c8697ea869 100644
--- a/mozilla/security/nss/lib/certdb/stanpcertdb.c
+++ b/mozilla/security/nss/lib/certdb/stanpcertdb.c
@@ -335,8 +335,14 @@ CERT_FindCertByName(CERTCertDBHandle *handle, SECItem *name)
     cp = NSSTrustDomain_FindBestCertificateBySubject(handle, &subject, 
                                                      NULL, &usage, NULL);
     c = get_best_temp_or_perm(ct, cp);
-    if (ct) NSSCertificate_Destroy(ct);
-    if (cp) NSSCertificate_Destroy(cp);
+    if (ct) {
+	CERTCertificate *cert = STAN_GetCERTCertificate(ct);
+	CERT_DestroyCertificate(cert);
+    }
+    if (cp) {
+	CERTCertificate *cert = STAN_GetCERTCertificate(cp);
+	CERT_DestroyCertificate(cert);
+    }
     if (c) {
 	return STAN_GetCERTCertificate(c);
     } else {
@@ -379,7 +385,10 @@ CERT_FindCertByNickname(CERTCertDBHandle *handle, char *nickname)
     if (cert) {
 	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
 	CERT_DestroyCertificate(cert);
-	if (ct) NSSCertificate_Destroy(ct);
+	if (ct) {
+	    CERTCertificate *cert2 = STAN_GetCERTCertificate(ct);
+	    CERT_DestroyCertificate(cert2);
+	}
     } else {
 	c = ct;
     }
@@ -426,7 +435,10 @@ CERT_FindCertByNicknameOrEmailAddr(CERTCertDBHandle *handle, char *name)
     if (cert) {
 	c = get_best_temp_or_perm(ct, STAN_GetNSSCertificate(cert));
 	CERT_DestroyCertificate(cert);
-	if (ct) NSSCertificate_Destroy(ct);
+	if (ct) {
+	    CERTCertificate *cert2 = STAN_GetCERTCertificate(ct);
+	    CERT_DestroyCertificate(cert2);
+	}
     } else {
 	c = ct;
     }
@@ -536,8 +548,6 @@ CERT_DestroyCertificate(CERTCertificate *cert)
         }
 #else
 	if (tmp) {
-	    /* delete the NSSCertificate */
-	    PK11SlotInfo *slot = cert->slot;
 	    NSSTrustDomain *td = STAN_GetDefaultTrustDomain();
 	    refCount = (int)tmp->object.refCount;
 	    /* This is a hack.  For 3.4, there are persistent references
@@ -559,8 +569,8 @@ CERT_DestroyCertificate(CERTCertificate *cert)
 		} else {
 		    nssTrustDomain_RemoveCertFromCache(td, tmp);
 		}
-		refCount = (int)tmp->object.refCount;
 	    }
+	    /* delete the NSSCertificate */
 	    NSSCertificate_Destroy(tmp);
 	} 
 #endif
diff --git a/mozilla/security/nss/lib/pk11wrap/pk11cert.c b/mozilla/security/nss/lib/pk11wrap/pk11cert.c
index 0dc922a8ef8..beea83ee3c2 100644
--- a/mozilla/security/nss/lib/pk11wrap/pk11cert.c
+++ b/mozilla/security/nss/lib/pk11wrap/pk11cert.c
@@ -116,13 +116,11 @@ static PRStatus convert_and_cache_cert(NSSCertificate *c, void *arg)
      * destroy the reference to the copy, the callback will use the reference
      * to the cached entry, and everyone should be happy.
      */
-    if (cp == c) {
-	/* However, if the call to add c to the cache was successful, cp is
-	 * now an extra copy within this function and needs to be destroyed.
-	 */
-	NSSCertificate_Destroy(cp);
-    }
     nssrv = convert_cert(c, arg);
+    /* This function owns a reference to the cert, either from the AddRef
+     * or by getting it from the cache.
+     */
+    CERT_DestroyCertificate(STAN_GetCERTCertificate(c));
     return nssrv;
 }
 
@@ -1245,7 +1243,7 @@ get_newest_cert(NSSCertificate *c, void *arg)
     dc = nssCertificate_GetDecoding(c);
     founddc = nssCertificate_GetDecoding(*cfound);
     if (!founddc->isNewerThan(founddc, dc)) {
-	NSSCertificate_Destroy(*cfound);
+	CERT_DestroyCertificate(STAN_GetCERTCertificate(*cfound));
 	*cfound = nssCertificate_AddRef(c);
     }
     return PR_SUCCESS;
@@ -2667,7 +2665,7 @@ filter_list_for_token_certs(nssList *certList, NSSToken *token)
 	if (!isToken) {
 	    /* safe since iterator is copied */
 	    nssList_Remove(certList, c);
-	    NSSCertificate_Destroy(c);
+	    CERT_DestroyCertificate(STAN_GetCERTCertificate(c));
 	}
     }
     nssListIterator_Finish(certs);
diff --git a/mozilla/security/nss/lib/pki/trustdomain.c b/mozilla/security/nss/lib/pki/trustdomain.c
index e953baf13db..28101de1290 100644
--- a/mozilla/security/nss/lib/pki/trustdomain.c
+++ b/mozilla/security/nss/lib/pki/trustdomain.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.33 $ $Date: 2002-02-08 15:13:13 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: trustdomain.c,v $ $Revision: 1.34 $ $Date: 2002-02-26 16:21:48 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef NSSPKI_H
@@ -927,13 +927,11 @@ static PRStatus traverse_callback(NSSCertificate *c, void *arg)
      * destroy the reference to the copy, the callback will use the reference
      * to the cached entry, and everyone should be happy.
      */
-    if (cp == c) {
-	/* However, if the call to add c to the cache was successful, cp is
-	 * now an extra copy within this function and needs to be destroyed.
-	 */
-	NSSCertificate_Destroy(cp);
-    }
     nssrv = (*ta->callback)(c, ta->arg);
+    /* This function owns a reference to the cert, either from the AddRef
+     * or by getting it from the cache.
+     */
+    CERT_DestroyCertificate(STAN_GetCERTCertificate(c));
     return nssrv;
 }