diff --git a/openldap-tlsmc.patch b/openldap-tlsmc.patch
index d781817..c6957d8 100644
--- a/openldap-tlsmc.patch
+++ b/openldap-tlsmc.patch
@@ -1,7 +1,7 @@
 MozNSS Interception Code
 
 Author: Matus Honek <mhonek@redhat.com>
-Date: Mon Nov 27 16:03:42 CET 2017
+Date: Wed Jan 10 23:30:56 CET 2018
 diff --git a/configure.in b/configure.in
 --- a/configure.in
 +++ b/configure.in
@@ -236,10 +236,11 @@ diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
  	if ( is_server && !lts.lt_certfile && !lts.lt_keyfile &&
  		!lts.lt_cacertfile && !lts.lt_cacertdir ) {
  		/* minimum configuration not provided */
-@@ -573,6 +598,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
+@@ -572,6 +597,21 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
+ 			return ldap_pvt_tls_set_option( ld, option, &i );
  		}
  		return -1;
- #endif
++#endif
 +#ifdef HAVE_MOZNSS_COMPATIBILITY
 +	case LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY:
 +		i = -1;
@@ -254,10 +255,9 @@ diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 +			i = LDAP_OPT_X_TLS_MOZNSS_COMPATIBILITY_DISABLED;
 +		}
 +		return ldap_pvt_tls_set_option( ld, option, &i );
-+#endif
+ #endif
  	}
  	return -1;
- }
 @@ -675,6 +715,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
  	case LDAP_OPT_X_TLS_CONNECT_ARG:
  		*(void **)arg = lo->ldo_tls_connect_arg;
@@ -283,7 +283,7 @@ diff --git a/libraries/libldap/tls_mc.c b/libraries/libldap/tls_mc.c
 new file mode 100644
 --- /dev/null
 +++ b/libraries/libldap/tls_mc.c
-@@ -0,0 +1,1179 @@
+@@ -0,0 +1,1211 @@
 +#include "portable.h"
 +
 +#ifdef HAVE_MOZNSS_COMPATIBILITY
@@ -742,6 +742,7 @@ new file mode 100644
 +{
 +	int rv = 0;
 +	char *data = NULL;
++	char *checksum = NULL;
 +
 +	/* gather data */
 +	data = PR_sprintf_append( data,
@@ -777,7 +778,6 @@ new file mode 100644
 +	}
 +
 +	/* compute data checksum */
-+	char *checksum = NULL;
 +	if ( 1 != tlsmc_hash( &checksum, (const char*) data ) ) {
 +		checksum = NULL;
 +		goto bail;
@@ -1060,6 +1060,11 @@ new file mode 100644
 +	CERTCertificate *cert = NULL;
 +	char *cert_file_path = NULL;
 +	char *key_file_path = NULL;
++	char *file_realpath = NULL;
++
++
++	cert_file_path = PR_smprintf( "%s/cert.pem", dir_name );
++	key_file_path = PR_smprintf( "%s/key.pem", dir_name );
 +
 +	if ( NULL == nickname ) {
 +		Debug( LDAP_DEBUG_ANY,
@@ -1075,40 +1080,65 @@ new file mode 100644
 +		       0, 0, 0 );
 +		goto bail;
 +	}
-+	if ( NULL == ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) {
++	if ( NULL != ( cert = PK11_FindCertFromNickname(nickname, NULL) ) ) {
++		/* extract cert/key from NSS db */
++
++		Debug( LDAP_DEBUG_TRACE,
++		       "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n",
++		       nickname, cert_file_path, 0 );
++		if ( 0 == tlsmc_extract_cert_to_file(certHandle, cert, cert_file_path) ) {
++			Debug( LDAP_DEBUG_ANY,
++			       "tlsmc_extract_cert_key_pair: ERROR: could not extract certificate.\n",
++			       0, 0, 0 );
++			goto bail;
++		}
++
++		Debug( LDAP_DEBUG_TRACE,
++		       "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n",
++		       key_file_path, 0, 0 );
++		if ( 0 == tlsmc_extract_key_of_cert_to_file( cert, pin_filename, key_file_path ) ) {
++			Debug( LDAP_DEBUG_ANY,
++			       "tlsmc_extract_cert_key_pair: ERROR: could not extract PK.\n",
++			       0, 0, 0 );
++			goto bail;
++		}
++	} else {
++		/* symlink PEM cert/key PEM files */
++
 +		Debug( LDAP_DEBUG_ANY,
-+		       "tlsmc_extract_cert_key_pair: ERROR: could not find certificate with nickname `%s'.\n",
++		       "tlsmc_extract_cert_key_pair: INFO: could not find certificate with nickname `%s', expecting a PEM file.\n",
 +		       nickname, 0, 0 );
-+		goto bail;
-+	}
 +
-+	/* cert */
-+	cert_file_path = PR_smprintf( "%s/cert.pem", dir_name );
-+	Debug( LDAP_DEBUG_TRACE,
-+	       "tlsmc_extract_cert_key_pair: INFO: extracting certificate `%s' to file `%s'.\n",
-+	       nickname, cert_file_path, 0 );
-+	if ( 0 == tlsmc_extract_cert_to_file(certHandle, cert, cert_file_path) ) {
-+		Debug( LDAP_DEBUG_ANY,
-+		       "tlsmc_extract_cert_key_pair: ERROR: could not extract certificate.\n",
-+		       0, 0, 0 );
-+		goto bail;
-+	}
++		Debug( LDAP_DEBUG_TRACE,
++		       "tlsmc_extract_cert_key_pair: INFO: symlinking certificate file `%s' to file `%s'.\n",
++		       nickname, cert_file_path, 0 );
++		if ( NULL == ( file_realpath = realpath( nickname, NULL ) ) ) {
++			perror( "Could not get the realpath" );
++			goto bail;
++		}
++		if ( -1 == symlink( file_realpath, cert_file_path ) ) {
++			perror( "Could not create a symlink" );
++			goto bail;
++		}
++		if ( file_realpath ) free( file_realpath );
 +
-+	/* key */
-+	key_file_path = PR_smprintf( "%s/key.pem", dir_name );
-+	Debug( LDAP_DEBUG_TRACE,
-+	       "tlsmc_extract_cert_key_pair: INFO: extracting associated PK to file `%s'.\n",
-+	       key_file_path, 0, 0 );
-+	if ( 0 == tlsmc_extract_key_of_cert_to_file( cert, pin_filename, key_file_path ) ) {
-+		Debug( LDAP_DEBUG_ANY,
-+		       "tlsmc_extract_cert_key_pair: ERROR: could not extract PK.\n",
-+		       0, 0, 0 );
-+		goto bail;
++		Debug( LDAP_DEBUG_TRACE,
++		       "tlsmc_extract_cert_key_pair: INFO: symlinking PK file `%s' to file `%s'.\n",
++		       pin_filename, key_file_path, 0 );
++		if ( NULL == ( file_realpath = realpath( pin_filename, NULL ) ) ) {
++			perror( "Could not get the realpath" );
++			goto bail;
++		}
++		if ( -1 == symlink( file_realpath, key_file_path ) ) {
++			perror( "Could not create a symlink" );
++			goto bail;
++		}
 +	}
 +
 +	rv = 1;
 +
 +bail:
++	if (file_realpath) free(file_realpath);
 +	if (key_file_path) PR_smprintf_free(key_file_path);
 +	if (cert_file_path) PR_smprintf_free(cert_file_path);
 +	if (cert) CERT_DestroyCertificate(cert);
@@ -1366,7 +1396,8 @@ new file mode 100644
 +	if (*ld_cert) free(*ld_cert);
 +	*ld_cert = PR_smprintf( "%s/" TLSMC_CERT_FILE_NAME, pem_dir );
 +	if ( ! ( ( 0 == stat( *ld_cert, &stat_buf ) )
-+	         && S_ISREG(stat_buf.st_mode) ) ) {
++	         && ( S_ISREG(stat_buf.st_mode)
++	              || S_ISLNK(stat_buf.st_mode) ) ) ) {
 +		Debug( LDAP_DEBUG_ANY,
 +		       "tlsmc_convert: WARN: extracted cert file is not present.\n",
 +		       0, 0, 0 );
@@ -1376,7 +1407,8 @@ new file mode 100644
 +	if (*ld_key) free(*ld_key);
 +	*ld_key = PR_smprintf( "%s/" TLSMC_KEY_FILE_NAME, pem_dir );
 +	if ( ! ( ( 0 == stat( *ld_key, &stat_buf ) )
-+	         && S_ISREG(stat_buf.st_mode) ) ) {
++	         && ( S_ISREG(stat_buf.st_mode)
++	              || S_ISLNK(stat_buf.st_mode) ) ) ) {
 +		Debug( LDAP_DEBUG_ANY,
 +		       "tlsmc_convert: WARN: extracted key file is not present.\n",
 +		       0, 0, 0 );
diff --git a/openldap.spec b/openldap.spec
index fc87060..86a6c9a 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -5,7 +5,7 @@
 
 Name: openldap
 Version: 2.4.45
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -516,6 +516,11 @@ exit 0
 %{_mandir}/man3/*
 
 %changelog
+* Wed Feb  7 2018 Matus Honek <mhonek@redhat.com> - 2.4.45-7
+- MozNSS Compat. Layer fixes (#1400570)
+  - Enable usage of NSS DB with PEM cert/key (orig. #1525485)
+    + Fix a possible invalid dereference (covscan)
+
 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.45-6
 - Rebuilt for switch to libxcrypt