diff --git a/lib/pki/pki3hack.c b/lib/pki/pki3hack.c
--- a/lib/pki/pki3hack.c
+++ b/lib/pki/pki3hack.c
@@ -921,11 +921,11 @@
     }
     if (!cc->nssCertificate || forceUpdate) {
         fill_CERTCertificateFields(c, cc, forceUpdate);
-    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess &&
-               !c->object.cryptoContext) {
-        /* if it's a perm cert, it might have been stored before the
-         * trust, so look for the trust again.  But a temp cert can be
-         * ignored.
+    } else if (CERT_GetCertTrust(cc, &certTrust) != SECSuccess) {
+        /* If it's a perm cert, it might have been stored before the
+         * trust, so look for the trust again. If it's a temp cert, it
+         * might have been stored before the builtin module is loaded,
+         * so still need to look for the trust again.
          */
         CERTCertTrust *trust = NULL;
         trust = nssTrust_GetCERTCertTrustForCert(c, cc);