diff --git a/security/manager/ssl/public/nsIX509Cert.idl b/security/manager/ssl/public/nsIX509Cert.idl
index 6082d9e7cf0c..09639a5eb2d8 100644
--- a/security/manager/ssl/public/nsIX509Cert.idl
+++ b/security/manager/ssl/public/nsIX509Cert.idl
@@ -124,6 +124,7 @@ interface nsIX509Cert : nsISupports {
   readonly attribute wstring issuedDate;
   readonly attribute wstring expiresDate;
   readonly attribute wstring tokenName;
+  readonly attribute wstring issuerOrganization;
 
   readonly attribute nsIX509CertValidity validity;
   readonly attribute string dbKey;
diff --git a/security/manager/ssl/resources/locale/en-US/pipnss.properties b/security/manager/ssl/resources/locale/en-US/pipnss.properties
index 2569ffe878cf..587248ffaa0c 100644
--- a/security/manager/ssl/resources/locale/en-US/pipnss.properties
+++ b/security/manager/ssl/resources/locale/en-US/pipnss.properties
@@ -127,3 +127,5 @@ PKCS12PasswordInvalid=Could not decode PKCS#12 file.  Perhaps the password you e
 PKCS12DecodeErr=Failed to decode the file.  Either it is not in PKCS#12 format, has been corrupted, or the password you entered was incorrect.
 PKCS12UnknownErrRestore=Failed to restore the PKCS#12 file for unknown reasons.
 PKCS12UnknownErrBackup=Failed to backup the PKCS#12 file for unknown reasons.
+UnknownCertIssuer=(Unknown Issuer)
+UnknownCertOrg=(Unknown Organization)
diff --git a/security/manager/ssl/src/nsCertOutliner.cpp b/security/manager/ssl/src/nsCertOutliner.cpp
index d18e0670d829..e780016b450e 100644
--- a/security/manager/ssl/src/nsCertOutliner.cpp
+++ b/security/manager/ssl/src/nsCertOutliner.cpp
@@ -105,17 +105,17 @@ nsCertOutliner::CmpByToken(nsIX509Cert *a, nsIX509Cert *b)
   return cmp1;
 }
 
-// CmpByOrg
+// CmpByIssuerOrg
 //
 // Compare two certificates by their O= field.  Returns -1, 0, 1 as
 // in strcmp.  No organization (null) is treated as <.
 PRInt32
-nsCertOutliner::CmpByOrg(nsIX509Cert *a, nsIX509Cert *b)
+nsCertOutliner::CmpByIssuerOrg(nsIX509Cert *a, nsIX509Cert *b)
 {
   PRInt32 cmp1;
   nsXPIDLString aOrg, bOrg;
-  a->GetOrganization(getter_Copies(aOrg));
-  b->GetOrganization(getter_Copies(bOrg));
+  a->GetIssuerOrganization(getter_Copies(aOrg));
+  b->GetIssuerOrganization(getter_Copies(bOrg));
   if (aOrg != nsnull && bOrg != nsnull) {
     nsAutoString aStr(aOrg);
     cmp1 = aStr.CompareWithConversion(bOrg);
@@ -145,17 +145,17 @@ nsCertOutliner::CmpByName(nsIX509Cert *a, nsIX509Cert *b)
   return cmp1;
 }
 
-// CmpByTok_Org_Name
+// CmpByTok_IssuerOrg_Name
 //
-// Compare two certificates by token name, organization, and common name,
-// in that order.  Used to sort cert list.
+// Compare two certificates by token name, issuer organization, 
+// and common name, in that order.  Used to sort cert list.
 PRInt32
-nsCertOutliner::CmpByTok_Org_Name(nsIX509Cert *a, nsIX509Cert *b)
+nsCertOutliner::CmpByTok_IssuerOrg_Name(nsIX509Cert *a, nsIX509Cert *b)
 {
   PRInt32 cmp;
   cmp = CmpByToken(a, b);
   if (cmp != 0) return cmp;
-  cmp = CmpByOrg(a, b);
+  cmp = CmpByIssuerOrg(a, b);
   if (cmp != 0) return cmp;
   return CmpByName(a, b);
 }
@@ -180,7 +180,7 @@ nsCertOutliner::CountOrganizations()
     isupport = dont_AddRef(mCertArray->ElementAt(i));
     nextCert = do_QueryInterface(isupport);
     if (!(CmpByToken(orgCert, nextCert) == 0 &&
-          CmpByOrg(orgCert, nextCert) == 0)) {
+          CmpByIssuerOrg(orgCert, nextCert) == 0)) {
       orgCert = nextCert;
       orgCount++;
     }
@@ -263,7 +263,7 @@ nsCertOutliner::LoadCerts(const PRUint32 aType)
   nsCOMPtr<nsIX509CertDB> certdb = do_GetService(NS_X509CERTDB_CONTRACTID);
   if (certdb == nsnull) return NS_ERROR_FAILURE;
   rv = certdb->GetCertsByType(aType, 
-                              CmpByTok_Org_Name,
+                              CmpByTok_IssuerOrg_Name,
                               getter_AddRefs(mCertArray));
   if (NS_FAILED(rv)) return rv;
   PRUint32 count;
@@ -276,14 +276,14 @@ nsCertOutliner::LoadCerts(const PRUint32 aType)
   nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(j));
   nsCOMPtr<nsIX509Cert> orgCert = do_QueryInterface(isupport);
   for (PRInt32 i=0; i<mNumOrgs; i++) {
-    orgCert->GetOrganization(&mOutlinerArray[i].orgName);
+    orgCert->GetIssuerOrganization(&mOutlinerArray[i].orgName);
     mOutlinerArray[i].open = PR_TRUE;
     mOutlinerArray[i].certIndex = j;
     mOutlinerArray[i].numChildren = 1;
     if (++j >= count) break;
     isupport = dont_AddRef(mCertArray->ElementAt(j));
     nsCOMPtr<nsIX509Cert> nextCert = do_QueryInterface(isupport);
-    while (CmpByOrg(orgCert, nextCert) == 0) {
+    while (CmpByIssuerOrg(orgCert, nextCert) == 0) {
       mOutlinerArray[i].numChildren++;
       if (++j >= count) break;
       isupport = dont_AddRef(mCertArray->ElementAt(j));
diff --git a/security/manager/ssl/src/nsCertOutliner.h b/security/manager/ssl/src/nsCertOutliner.h
index 040c1c8e1409..c9d29caa81a6 100644
--- a/security/manager/ssl/src/nsCertOutliner.h
+++ b/security/manager/ssl/src/nsCertOutliner.h
@@ -58,9 +58,9 @@ public:
 
 protected:
   static PRInt32 CmpByToken(nsIX509Cert *a, nsIX509Cert *b);
-  static PRInt32 CmpByOrg(nsIX509Cert *a, nsIX509Cert *b);
+  static PRInt32 CmpByIssuerOrg(nsIX509Cert *a, nsIX509Cert *b);
   static PRInt32 CmpByName(nsIX509Cert *a, nsIX509Cert *b);
-  static PRInt32 CmpByTok_Org_Name(nsIX509Cert *a, nsIX509Cert *b);
+  static PRInt32 CmpByTok_IssuerOrg_Name(nsIX509Cert *a, nsIX509Cert *b);
   PRInt32 CountOrganizations();
 
 private:
diff --git a/security/manager/ssl/src/nsCertTree.cpp b/security/manager/ssl/src/nsCertTree.cpp
index d18e0670d829..e780016b450e 100644
--- a/security/manager/ssl/src/nsCertTree.cpp
+++ b/security/manager/ssl/src/nsCertTree.cpp
@@ -105,17 +105,17 @@ nsCertOutliner::CmpByToken(nsIX509Cert *a, nsIX509Cert *b)
   return cmp1;
 }
 
-// CmpByOrg
+// CmpByIssuerOrg
 //
 // Compare two certificates by their O= field.  Returns -1, 0, 1 as
 // in strcmp.  No organization (null) is treated as <.
 PRInt32
-nsCertOutliner::CmpByOrg(nsIX509Cert *a, nsIX509Cert *b)
+nsCertOutliner::CmpByIssuerOrg(nsIX509Cert *a, nsIX509Cert *b)
 {
   PRInt32 cmp1;
   nsXPIDLString aOrg, bOrg;
-  a->GetOrganization(getter_Copies(aOrg));
-  b->GetOrganization(getter_Copies(bOrg));
+  a->GetIssuerOrganization(getter_Copies(aOrg));
+  b->GetIssuerOrganization(getter_Copies(bOrg));
   if (aOrg != nsnull && bOrg != nsnull) {
     nsAutoString aStr(aOrg);
     cmp1 = aStr.CompareWithConversion(bOrg);
@@ -145,17 +145,17 @@ nsCertOutliner::CmpByName(nsIX509Cert *a, nsIX509Cert *b)
   return cmp1;
 }
 
-// CmpByTok_Org_Name
+// CmpByTok_IssuerOrg_Name
 //
-// Compare two certificates by token name, organization, and common name,
-// in that order.  Used to sort cert list.
+// Compare two certificates by token name, issuer organization, 
+// and common name, in that order.  Used to sort cert list.
 PRInt32
-nsCertOutliner::CmpByTok_Org_Name(nsIX509Cert *a, nsIX509Cert *b)
+nsCertOutliner::CmpByTok_IssuerOrg_Name(nsIX509Cert *a, nsIX509Cert *b)
 {
   PRInt32 cmp;
   cmp = CmpByToken(a, b);
   if (cmp != 0) return cmp;
-  cmp = CmpByOrg(a, b);
+  cmp = CmpByIssuerOrg(a, b);
   if (cmp != 0) return cmp;
   return CmpByName(a, b);
 }
@@ -180,7 +180,7 @@ nsCertOutliner::CountOrganizations()
     isupport = dont_AddRef(mCertArray->ElementAt(i));
     nextCert = do_QueryInterface(isupport);
     if (!(CmpByToken(orgCert, nextCert) == 0 &&
-          CmpByOrg(orgCert, nextCert) == 0)) {
+          CmpByIssuerOrg(orgCert, nextCert) == 0)) {
       orgCert = nextCert;
       orgCount++;
     }
@@ -263,7 +263,7 @@ nsCertOutliner::LoadCerts(const PRUint32 aType)
   nsCOMPtr<nsIX509CertDB> certdb = do_GetService(NS_X509CERTDB_CONTRACTID);
   if (certdb == nsnull) return NS_ERROR_FAILURE;
   rv = certdb->GetCertsByType(aType, 
-                              CmpByTok_Org_Name,
+                              CmpByTok_IssuerOrg_Name,
                               getter_AddRefs(mCertArray));
   if (NS_FAILED(rv)) return rv;
   PRUint32 count;
@@ -276,14 +276,14 @@ nsCertOutliner::LoadCerts(const PRUint32 aType)
   nsCOMPtr<nsISupports> isupport = dont_AddRef(mCertArray->ElementAt(j));
   nsCOMPtr<nsIX509Cert> orgCert = do_QueryInterface(isupport);
   for (PRInt32 i=0; i<mNumOrgs; i++) {
-    orgCert->GetOrganization(&mOutlinerArray[i].orgName);
+    orgCert->GetIssuerOrganization(&mOutlinerArray[i].orgName);
     mOutlinerArray[i].open = PR_TRUE;
     mOutlinerArray[i].certIndex = j;
     mOutlinerArray[i].numChildren = 1;
     if (++j >= count) break;
     isupport = dont_AddRef(mCertArray->ElementAt(j));
     nsCOMPtr<nsIX509Cert> nextCert = do_QueryInterface(isupport);
-    while (CmpByOrg(orgCert, nextCert) == 0) {
+    while (CmpByIssuerOrg(orgCert, nextCert) == 0) {
       mOutlinerArray[i].numChildren++;
       if (++j >= count) break;
       isupport = dont_AddRef(mCertArray->ElementAt(j));
diff --git a/security/manager/ssl/src/nsCertTree.h b/security/manager/ssl/src/nsCertTree.h
index 040c1c8e1409..c9d29caa81a6 100644
--- a/security/manager/ssl/src/nsCertTree.h
+++ b/security/manager/ssl/src/nsCertTree.h
@@ -58,9 +58,9 @@ public:
 
 protected:
   static PRInt32 CmpByToken(nsIX509Cert *a, nsIX509Cert *b);
-  static PRInt32 CmpByOrg(nsIX509Cert *a, nsIX509Cert *b);
+  static PRInt32 CmpByIssuerOrg(nsIX509Cert *a, nsIX509Cert *b);
   static PRInt32 CmpByName(nsIX509Cert *a, nsIX509Cert *b);
-  static PRInt32 CmpByTok_Org_Name(nsIX509Cert *a, nsIX509Cert *b);
+  static PRInt32 CmpByTok_IssuerOrg_Name(nsIX509Cert *a, nsIX509Cert *b);
   PRInt32 CountOrganizations();
 
 private:
diff --git a/security/manager/ssl/src/nsNSSCertificate.cpp b/security/manager/ssl/src/nsNSSCertificate.cpp
index 592af650c74e..ec164f3be22e 100644
--- a/security/manager/ssl/src/nsNSSCertificate.cpp
+++ b/security/manager/ssl/src/nsNSSCertificate.cpp
@@ -32,7 +32,7 @@
  * may use your version of this file under either the MPL or the
  * GPL.
  *
- * $Id: nsNSSCertificate.cpp,v 1.23 2001/05/15 17:35:33 ddrinan%netscape.com Exp $
+ * $Id: nsNSSCertificate.cpp,v 1.24 2001/05/15 19:12:44 mcgreer%netscape.com Exp $
  */
 
 #include "prmem.h"
@@ -597,6 +597,40 @@ nsNSSCertificate::GetOrganization(PRUnichar **aOrganization)
   return NS_OK;
 }
 
+NS_IMETHODIMP
+nsNSSCertificate::GetIssuerOrganization(PRUnichar **aOrganization)
+{
+  NS_ENSURE_ARG(aOrganization);
+  if (mIssuerOrg.Length() == 0) {
+    PRBool failed = PR_TRUE;
+    CERTCertificate *issuer;
+    issuer = CERT_FindCertIssuer(mCert, PR_Now(), certUsageSSLClient);
+    if (issuer) {
+      char *org = CERT_GetOrgName(&issuer->subject);
+      if (org) {
+        mIssuerOrg = NS_ConvertASCIItoUCS2(org);
+        failed = PR_FALSE;
+      }
+    }
+    if (failed) {
+      nsresult rv;
+      nsCOMPtr<nsINSSComponent> nssComponent(
+                     do_GetService(kNSSComponentCID, &rv));
+      if (NS_FAILED(rv)) return rv;
+      if (!issuer) {
+        rv = nssComponent->GetPIPNSSBundleString(
+                     NS_LITERAL_STRING("UnknownCertIssuer").get(), mIssuerOrg);
+      } else { /* !org */
+        rv = nssComponent->GetPIPNSSBundleString(
+                     NS_LITERAL_STRING("UnknownCertOrg").get(), mIssuerOrg);
+      }
+      if (NS_FAILED(rv)) return rv;
+    }
+  }
+  *aOrganization = mIssuerOrg.ToNewUnicode();
+  return NS_OK;
+}
+
 NS_IMETHODIMP
 nsNSSCertificate::GetOrganizationalUnit(PRUnichar **aOrganizationalUnit)
 {
diff --git a/security/manager/ssl/src/nsNSSCertificate.h b/security/manager/ssl/src/nsNSSCertificate.h
index 8de4d44e55cc..b1596bde7c69 100644
--- a/security/manager/ssl/src/nsNSSCertificate.h
+++ b/security/manager/ssl/src/nsNSSCertificate.h
@@ -61,6 +61,7 @@ public:
 
 private:
   CERTCertificate *mCert;
+  nsString         mIssuerOrg;
   nsCOMPtr<nsIASN1Object> mASN1Structure;
   nsresult CreateASN1Struct();
   nsresult CreateTBSCertificateASN1Struct(nsIASN1Sequence **retSequence,