diff --git a/security/manager/ssl/public/nsIX509CertDB.idl b/security/manager/ssl/public/nsIX509CertDB.idl
index 94a81e163c26..1261bc47038f 100644
--- a/security/manager/ssl/public/nsIX509CertDB.idl
+++ b/security/manager/ssl/public/nsIX509CertDB.idl
@@ -19,7 +19,7 @@ interface nsIX509CertList;
 #define NS_X509CERTDB_CONTRACTID "@mozilla.org/security/x509certdb;1"
 %}
 
-[scriptable, function, uuid(48411e2d-85a9-4b16-bec8-e30cde801f9e)]
+[scriptable, function, uuid(25a048e8-bb1c-4c33-ad3a-eacf2ad9e9ee)]
 interface nsIOpenSignedJARFileCallback : nsISupports
 {
   void openSignedJARFileFinished(in nsresult rv,
@@ -261,6 +261,16 @@ interface nsIX509CertDB : nsISupports {
    */
   nsIX509Cert constructX509FromBase64(in string base64);
 
+  /*
+   *  Decode a raw data presentation and instantiate an object in memory.
+   *
+   *  @param certDER The raw representation of a certificate,
+   *                 encoded as raw DER.
+   *  @param length  The length of the DER string.
+   *  @return The new certificate object.
+   */
+  nsIX509Cert constructX509(in string certDER, in unsigned long length);
+
   /*
    *  Obtain a reference to the appropriate service for recent
    *  bad certificates. May only be called on the main thread.
diff --git a/security/manager/ssl/src/nsNSSCertificateDB.cpp b/security/manager/ssl/src/nsNSSCertificateDB.cpp
index 5c42394f81b7..3323b7f9de66 100644
--- a/security/manager/ssl/src/nsNSSCertificateDB.cpp
+++ b/security/manager/ssl/src/nsNSSCertificateDB.cpp
@@ -1398,7 +1398,9 @@ nsNSSCertificateDB::ConstructX509FromBase64(const char *base64,
   if (isAlreadyShutDown()) {
     return NS_ERROR_NOT_AVAILABLE;
   }
-  NS_ENSURE_ARG_POINTER(_retval);
+  if (NS_WARN_IF(!_retval)) {
+    return NS_ERROR_INVALID_POINTER;
+  }
 
   // sure would be nice to have a smart pointer class for PL_ allocations
   // unfortunately, we cannot distinguish out-of-memory from bad-input here
@@ -1421,6 +1423,24 @@ nsNSSCertificateDB::ConstructX509FromBase64(const char *base64,
       lengthDER--;
   }
 
+  nsresult rv = ConstructX509(certDER, lengthDER, _retval);
+  PL_strfree(certDER);
+  return rv;
+}
+
+/* nsIX509Cert constructX509 (in string certDER, unsigned long len); */
+NS_IMETHODIMP
+nsNSSCertificateDB::ConstructX509(const char* certDER,
+                                  uint32_t lengthDER,
+                                  nsIX509Cert** _retval)
+{
+  nsNSSShutDownPreventionLock locker;
+  if (isAlreadyShutDown()) {
+    return NS_ERROR_NOT_AVAILABLE;
+  }
+  if (NS_WARN_IF(!_retval)) {
+    return NS_ERROR_INVALID_POINTER;
+  }
 
   SECItem secitem_cert;
   secitem_cert.type = siDERCertBuffer;
@@ -1431,8 +1451,6 @@ nsNSSCertificateDB::ConstructX509FromBase64(const char *base64,
   cert =
     CERT_NewTempCertificate(CERT_GetDefaultCertDB(), &secitem_cert,
                             nullptr, false, true);
-  PL_strfree(certDER);
-
   if (!cert)
     return (PORT_GetError() == SEC_ERROR_NO_MEMORY)
       ? NS_ERROR_OUT_OF_MEMORY : NS_ERROR_FAILURE;