diff --git a/common/constants.c b/common/constants.c
index f4aa66b..2d2ca21 100644
--- a/common/constants.c
+++ b/common/constants.c
@@ -149,16 +149,17 @@ const p11_constant p11_constant_types[] = {
 	CT (CKA_NSS_PASSWORD_CHECK, "nss-password-check")
 	CT (CKA_NSS_EXPIRES, "nss-expires")
 	CT (CKA_NSS_KRL, "nss-krl")
 	CT (CKA_NSS_PQG_COUNTER, "nss-pqg-counter")
 	CT (CKA_NSS_PQG_SEED, "nss-pqg-seed")
 	CT (CKA_NSS_PQG_H, "nss-pqg-h")
 	CT (CKA_NSS_PQG_SEED_BITS, "nss-pqg-seed-bits")
 	CT (CKA_NSS_MODULE_SPEC, "nss-module-spec")
+	CT (CKA_NSS_MOZILLA_CA_POLICY, "nss-mozilla-ca-policy")
 	CT (CKA_TRUST_DIGITAL_SIGNATURE, "trust-digital-signature")
 	CT (CKA_TRUST_NON_REPUDIATION, "trust-non-repudiation")
 	CT (CKA_TRUST_KEY_ENCIPHERMENT, "trust-key-encipherment")
 	CT (CKA_TRUST_DATA_ENCIPHERMENT, "trust-data-encipherment")
 	CT (CKA_TRUST_KEY_AGREEMENT, "trust-key-agreement")
 	CT (CKA_TRUST_KEY_CERT_SIGN, "trust-key-cert-sign")
 	CT (CKA_TRUST_CRL_SIGN, "trust-crl-sign")
 	CT (CKA_TRUST_SERVER_AUTH, "trust-server-auth")
diff --git a/common/pkcs11x.h b/common/pkcs11x.h
index 4a89f73..d5e1d74 100644
--- a/common/pkcs11x.h
+++ b/common/pkcs11x.h
@@ -69,16 +69,17 @@ extern "C" {
 #define CKA_NSS_PASSWORD_CHECK          0xce534356UL
 #define CKA_NSS_EXPIRES                 0xce534357UL
 #define CKA_NSS_KRL                     0xce534358UL
 #define CKA_NSS_PQG_COUNTER             0xce534364UL
 #define CKA_NSS_PQG_SEED                0xce534365UL
 #define CKA_NSS_PQG_H                   0xce534366UL
 #define CKA_NSS_PQG_SEED_BITS           0xce534367UL
 #define CKA_NSS_MODULE_SPEC             0xce534368UL
+#define CKA_NSS_MOZILLA_CA_POLICY       0xce534372UL
 
 /* NSS trust attributes */
 #define CKA_TRUST_DIGITAL_SIGNATURE     0xce536351UL
 #define CKA_TRUST_NON_REPUDIATION       0xce536352UL
 #define CKA_TRUST_KEY_ENCIPHERMENT      0xce536353UL
 #define CKA_TRUST_DATA_ENCIPHERMENT     0xce536354UL
 #define CKA_TRUST_KEY_AGREEMENT         0xce536355UL
 #define CKA_TRUST_KEY_CERT_SIGN         0xce536356UL
diff --git a/trust/builder.c b/trust/builder.c
index e0ce370..5b20c79 100644
--- a/trust/builder.c
+++ b/trust/builder.c
@@ -787,16 +787,17 @@ certificate_validate (p11_builder *builder,
 }
 
 const static builder_schema certificate_schema = {
 	NORMAL_BUILD,
 	{ COMMON_ATTRS,
 	  { CKA_CERTIFICATE_TYPE, REQUIRE | CREATE, type_ulong },
 	  { CKA_TRUSTED, CREATE | WANT, type_bool },
 	  { CKA_X_DISTRUSTED, CREATE | WANT, type_bool },
+	  { CKA_NSS_MOZILLA_CA_POLICY, CREATE | WANT, type_bool },
 	  { CKA_CERTIFICATE_CATEGORY, CREATE | WANT, type_ulong },
 	  { CKA_CHECK_VALUE, CREATE | WANT, },
 	  { CKA_START_DATE, CREATE | MODIFY | WANT, type_date },
 	  { CKA_END_DATE, CREATE | MODIFY | WANT, type_date },
 	  { CKA_SUBJECT, CREATE | WANT, type_der_name },
 	  { CKA_ID, CREATE | MODIFY | WANT },
 	  { CKA_ISSUER, CREATE | MODIFY | WANT, type_der_name },
 	  { CKA_SERIAL_NUMBER, CREATE | MODIFY | WANT, type_der_serial },
diff --git a/trust/persist.c b/trust/persist.c
index ae76342..4c47b64 100644
--- a/trust/persist.c
+++ b/trust/persist.c
@@ -195,16 +195,17 @@ format_bool (CK_ATTRIBUTE *attr,
 	case CKA_MODIFIABLE:
 	case CKA_SECONDARY_AUTH:
 	case CKA_ALWAYS_AUTHENTICATE:
 	case CKA_WRAP_WITH_TRUSTED:
 	case CKA_RESET_ON_INIT:
 	case CKA_HAS_RESET:
 	case CKA_COLOR:
 	case CKA_X_DISTRUSTED:
+	case CKA_NSS_MOZILLA_CA_POLICY:
 		break;
 	default:
 		return false;
 	}
 
 	value = attr->pValue;
 	if (*value == CK_TRUE)
 		p11_buffer_add (buf, "true", -1);