diff --git a/mozilla/security/nss/lib/dev/dev.h b/mozilla/security/nss/lib/dev/dev.h
index fae6c3b0603..4308782c154 100644
--- a/mozilla/security/nss/lib/dev/dev.h
+++ b/mozilla/security/nss/lib/dev/dev.h
@@ -41,7 +41,7 @@
  */
 
 #ifdef DEBUG
-static const char DEV_CVS_ID[] = "@(#) $RCSfile: dev.h,v $ $Revision: 1.24 $ $Date: 2002-04-18 17:29:53 $ $Name: not supported by cvs2svn $";
+static const char DEV_CVS_ID[] = "@(#) $RCSfile: dev.h,v $ $Revision: 1.25 $ $Date: 2002-04-19 23:06:39 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef NSSCKT_H
@@ -946,6 +946,12 @@ nssToken_GetTrustOrder
   NSSToken *tok
 );
 
+NSS_EXTERN PRStatus
+nssToken_NofifyCertsNotVisible
+(
+  NSSToken *tok
+);
+
 #endif
 
 PR_END_EXTERN_C
diff --git a/mozilla/security/nss/lib/dev/devslot.c b/mozilla/security/nss/lib/dev/devslot.c
index 91abda43cca..3d110e8b16e 100644
--- a/mozilla/security/nss/lib/dev/devslot.c
+++ b/mozilla/security/nss/lib/dev/devslot.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.4 $ $Date: 2002-04-18 17:29:54 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: devslot.c,v $ $Revision: 1.5 $ $Date: 2002-04-19 23:06:39 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef NSSCKEPV_H
@@ -293,6 +293,13 @@ nssSlot_IsTokenPresent
 	    session->handle = CK_INVALID_SESSION;
 	}
 	nssSession_ExitMonitor(session);
+#ifdef NSS_3_4_CODE
+	if (slot->token->base.name[0] != 0) {
+	    /* notify the high-level cache that the token is removed */
+	    slot->token->base.name[0] = 0; /* XXX */
+	    nssToken_NofifyCertsNotVisible(slot->token);
+	}
+#endif
 	slot->token->base.name[0] = 0; /* XXX */
 	return PR_FALSE;
 #ifdef PURE_STAN_CODE
diff --git a/mozilla/security/nss/lib/pk11wrap/dev3hack.c b/mozilla/security/nss/lib/pk11wrap/dev3hack.c
index 186c8251584..bd79128b942 100644
--- a/mozilla/security/nss/lib/pk11wrap/dev3hack.c
+++ b/mozilla/security/nss/lib/pk11wrap/dev3hack.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: dev3hack.c,v $ $Revision: 1.13 $ $Date: 2002-04-19 16:14:13 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: dev3hack.c,v $ $Revision: 1.14 $ $Date: 2002-04-19 23:06:41 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef NSS_3_4_CODE
@@ -49,6 +49,7 @@ static const char CVS_ID[] = "@(#) $RCSfile: dev3hack.c,v $ $Revision: 1.13 $ $D
 
 #include "pki3hack.h"
 #include "dev3hack.h"
+#include "pkim.h"
 
 #ifndef BASE_H
 #include "base.h"
@@ -230,9 +231,17 @@ nssSlot_Refresh
 )
 {
     PK11SlotInfo *nss3slot = slot->pk11slot;
+    PRBool doit = PR_FALSE;
+    if (slot->token->base.name[0] == 0) {
+	doit = PR_TRUE;
+    }
     if (PK11_InitToken(nss3slot, PR_FALSE) != SECSuccess) {
 	return PR_FAILURE;
     }
+    if (doit) {
+	nssTrustDomain_UpdateCachedTokenCerts(slot->token->trustDomain, 
+	                                      slot->token);
+    }
     return nssToken_Refresh(slot->token);
 }
 
@@ -268,25 +277,19 @@ nssToken_GetTrustDomain(NSSToken *token)
     return token->trustDomain;
 }
 
-typedef enum {
-    nssPK11Event_DefaultSessionRO = 0,
-    nssPK11Event_DefaultSessionRW = 1
-} nssPK11Event;
+NSS_EXTERN PRStatus
+nssTrustDomain_RemoveTokenCertsFromCache
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
 
 NSS_IMPLEMENT PRStatus
-nssToken_Nofify
+nssToken_NofifyCertsNotVisible
 (
-  NSSToken *tok,
-  nssPK11Event event
+  NSSToken *tok
 )
-
 {
-#ifdef notdef
-    switch (event) {
-    default:
-	return PR_FAILURE;
-    }
-#endif
-    return PR_FAILURE;
+    return nssTrustDomain_RemoveTokenCertsFromCache(tok->trustDomain, tok);
 }
 
diff --git a/mozilla/security/nss/lib/pki/pkim.h b/mozilla/security/nss/lib/pki/pkim.h
index 6ad4dde351e..6224c0cbea8 100644
--- a/mozilla/security/nss/lib/pki/pkim.h
+++ b/mozilla/security/nss/lib/pki/pkim.h
@@ -35,7 +35,7 @@
 #define PKIM_H
 
 #ifdef DEBUG
-static const char PKIM_CVS_ID[] = "@(#) $RCSfile: pkim.h,v $ $Revision: 1.18 $ $Date: 2002-04-18 17:30:04 $ $Name: not supported by cvs2svn $";
+static const char PKIM_CVS_ID[] = "@(#) $RCSfile: pkim.h,v $ $Revision: 1.19 $ $Date: 2002-04-19 23:06:43 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef BASE_H
@@ -610,6 +610,13 @@ nssTrustDomain_RemoveTokenCertsFromCache
   NSSToken *token
 );
 
+NSS_EXTERN PRStatus
+nssTrustDomain_UpdateCachedTokenCerts
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+);
+
 /*
  * Find all cached certs with this nickname (label).
  */
diff --git a/mozilla/security/nss/lib/pki/tdcache.c b/mozilla/security/nss/lib/pki/tdcache.c
index b8f7d03788f..99034fa17a6 100644
--- a/mozilla/security/nss/lib/pki/tdcache.c
+++ b/mozilla/security/nss/lib/pki/tdcache.c
@@ -32,7 +32,7 @@
  */
 
 #ifdef DEBUG
-static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.30 $ $Date: 2002-04-18 17:52:55 $ $Name: not supported by cvs2svn $";
+static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.31 $ $Date: 2002-04-19 23:06:44 $ $Name: not supported by cvs2svn $";
 #endif /* DEBUG */
 
 #ifndef PKIM_H
@@ -61,6 +61,8 @@ static const char CVS_ID[] = "@(#) $RCSfile: tdcache.c,v $ $Revision: 1.30 $ $Da
 
 #ifdef NSS_3_4_CODE
 #include "cert.h"
+#include "dev.h"
+#include "pki3hack.h"
 #endif
 
 #ifdef DEBUG_CACHE
@@ -447,23 +449,39 @@ nssTrustDomain_FlushCache
 {
 }
 
-struct token_cert_destructor {
-    nssTDCertificateCache *cache;
+struct token_cert_dtor {
     NSSToken *token;
+    nssTDCertificateCache *cache;
+    NSSCertificate **certs;
+    PRUint32 numCerts, arrSize;
 };
 
 static void 
 remove_token_certs(const void *k, void *v, void *a)
 {
-#if 0
-    struct NSSItem *identifier = (struct NSSItem *)k;
-    NSSCertificate *c = (NSSCertificate *)v;
-    struct token_cert_destructor *tcd = (struct token_cert_destructor *)a;
-    if (c->token == tcd->token) {
-	nssHash_Remove(tcd->cache->issuerAndSN, identifier);
-	/* remove from the other hashes */
+    NSSCertificate *c = (NSSCertificate *)k;
+    nssPKIObject *object = &c->object;
+    struct token_cert_dtor *dtor = a;
+    PRUint32 i;
+    PZ_Lock(object->lock);
+    for (i=0; i<object->numInstances; i++) {
+	if (object->instances[i]->token == dtor->token) {
+	    nssCryptokiObject_Destroy(object->instances[i]);
+	    object->instances[i] = object->instances[object->numInstances-1];
+	    object->instances[object->numInstances-1] = NULL;
+	    object->numInstances--;
+	    dtor->certs[dtor->numCerts++] = nssCertificate_AddRef(c);
+	    if (dtor->numCerts == dtor->arrSize) {
+		dtor->arrSize *= 2;
+		dtor->certs = nss_ZREALLOCARRAY(dtor->certs, 
+		                                NSSCertificate *,
+		                                dtor->arrSize);
+	    }
+	    break;
+	}
     }
-#endif
+    PZ_Unlock(object->lock);
+    return;
 }
 
 /* 
@@ -477,12 +495,72 @@ nssTrustDomain_RemoveTokenCertsFromCache
   NSSToken *token
 )
 {
-    struct token_cert_destructor tcd;
-    tcd.cache = td->cache;
-    tcd.token = token;
+    NSSCertificate **certs;
+    PRUint32 i, arrSize = 10;
+    struct token_cert_dtor dtor;
+    certs = nss_ZNEWARRAY(NULL, NSSCertificate *, arrSize);
+    if (!certs) {
+	return PR_FAILURE;
+    }
+    dtor.cache = td->cache;
+    dtor.token = token;
+    dtor.certs = certs;
+    dtor.numCerts = 0;
+    dtor.arrSize = arrSize;
     PZ_Lock(td->cache->lock);
-    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&tcd);
+    nssHash_Iterate(td->cache->issuerAndSN, remove_token_certs, (void *)&dtor);
     PZ_Unlock(td->cache->lock);
+    for (i=0; i<dtor.numCerts; i++) {
+	if (dtor.certs[i]->object.numInstances == 0) {
+	    nssTrustDomain_RemoveCertFromCache(td, dtor.certs[i]);
+	} else {
+	    STAN_ForceCERTCertificateUpdate(dtor.certs[i]);
+	}
+	nssCertificate_Destroy(dtor.certs[i]);
+    }
+    nss_ZFreeIf(dtor.certs);
+    return PR_SUCCESS;
+}
+
+NSS_IMPLEMENT PRStatus
+nssTrustDomain_UpdateCachedTokenCerts
+(
+  NSSTrustDomain *td,
+  NSSToken *token
+)
+{
+    NSSCertificate **cp, **cached = NULL;
+    nssList *certList;
+    PRUint32 count;
+    certList = nssList_Create(NULL, PR_FALSE);
+    if (!certList) return PR_FAILURE;
+    (void *)nssTrustDomain_GetCertsFromCache(td, certList);
+    count = nssList_Count(certList);
+    if (count > 0) {
+	cached = nss_ZNEWARRAY(NULL, NSSCertificate *, count + 1);
+	if (!cached) {
+	    return PR_FAILURE;
+	}
+	nssList_GetArray(certList, (void **)cached, count);
+	nssList_Destroy(certList);
+	for (cp = cached; *cp; cp++) {
+	    nssCryptokiObject *instance;
+	    NSSCertificate *c = *cp;
+	    nssTokenSearchType tokenOnly = nssTokenSearchType_TokenOnly;
+	    instance = nssToken_FindCertificateByIssuerAndSerialNumber(
+	                                                       token,
+                                                               NULL,
+                                                               &c->issuer,
+                                                               &c->serial,
+                                                               tokenOnly,
+                                                               NULL);
+	    if (instance) {
+		nssPKIObject_AddInstance(&c->object, instance);
+		STAN_ForceCERTCertificateUpdate(c);
+	    }
+	}
+	nssCertificateArray_Destroy(cached);
+    }
     return PR_SUCCESS;
 }