diff --git a/blacklist.txt b/blacklist.txt
index 8d57b86..4f31526 100644
--- a/blacklist.txt
+++ b/blacklist.txt
@@ -3,3 +3,24 @@
 # MD5 Collision Proof of Concept CA
 "MD5 Collisions Forged Rogue CA 25c3"
 
+# Obtained from certdata.txt version 1.86 on Wed Oct 24 13:49:41 EDT 2012 by Paul Wouters <pwouters@redhat.com>
+"Bogus Mozilla Addons"
+"Bogus Global Trustee"
+"Bogus GMail"
+"Bogus Google"
+"Bogus Skype"
+"Bogus Yahoo 1"
+"Bogus Yahoo 2"
+"Bogus Yahoo 3"
+"Bogus live.com"
+"Bogus kuix.de"
+"Explicitly Distrust DigiNotar Root CA"
+"Explicitly Distrust DigiNotar Services 1024 CA"
+"Explicitly Distrust DigiNotar Cyber CA"
+"Explicitly Distrust DigiNotar Cyber CA 2nd"
+"Explicitly Distrusted DigiNotar PKIoverheid"
+"Explicitly Distrusted DigiNotar PKIoverheid G2"
+"Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (cyb)"
+"Explicitly Distrusted Malaysian Digicert Sdn. Bhd. (en)"
+"MITM subCA 1 issued by Trustwave"
+"MITM subCA 2 issued by Trustwave"
diff --git a/ca-certificates.spec b/ca-certificates.spec
index 129cdb2..1aa0041 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -7,16 +7,16 @@
 # 
 # Keep the RCS version in sync with the spec Version.
 #
-# The real url is:
-# https://hg.mozilla.org/mozilla-central/raw-file/d3de9d8e2b5b/security/nss/lib/ckfw/builtins/certdata.txt
-
+# Note: This will give us the experimental version, not one that
+#       Firefox deems "stable". For that, we should check a firefox
+#       release branch for the certdata.txt version.
 
 %define pkidir %{_sysconfdir}/pki
 
 Summary: The Mozilla CA root certificate bundle
 Name: ca-certificates
 Version: 2012.86
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: Public Domain
 Group: System Environment/Base
 URL: http://www.mozilla.org/
@@ -122,6 +122,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/ssl/certs
 
 %changelog
+* Wed Oct 24 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-2
+- Updated blacklist with 20 entries (Diginotar, Trustwave, Comodo(?)
+- Fix to certdata2pem.py to also check for CKT_NSS_NOT_TRUSTED 
+
 * Tue Oct 23 2012 Paul Wouters <pwouters@redhat.com> - 2012.86-1
 - update to r1.86
 
diff --git a/certdata2pem.py b/certdata2pem.py
index c22946d..00e24ea 100644
--- a/certdata2pem.py
+++ b/certdata2pem.py
@@ -104,7 +104,8 @@ for obj in objects:
         trust[obj['CKA_LABEL']] = True
     elif obj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_TRUSTED_DELEGATOR':
         trust[obj['CKA_LABEL']] = True
-    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_UNTRUSTED':
+    # NSS recently changed CKT_NSS_UNTRUSTED to CKT_NSS_NOT_TRUSTED
+    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_UNTRUSTED' or obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
         print '!'*74
         print "UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL']
         print '!'*74