diff --git a/CHANGELOG b/CHANGELOG
index 2ce8727..dadf4e8 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -6,6 +6,7 @@
            copy-local-modifications
          - Assume serverAuth for certificates added by 'trust anchors --store'
            and generate a trusted certificate for use in LOCALDIR
+         - Add nss-{server,email}-distrust-after values in anchors
 1.7      - Revert help2man update (requires complete perl environment)
 1.6      - Fix install target for make -j#
          - Add detailed dependency info and add note about configuration file 
diff --git a/make-ca b/make-ca
index a76c312..04630d1 100644
--- a/make-ca
+++ b/make-ca
@@ -332,6 +332,39 @@ function convert_trust(){
   esac
 }
 
+function convert_moz_distrust(){
+  # SERVER
+  val=$(grep "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | cut -d " " -f 2)
+  if test "${val}" == "CK_BBOOL"; then
+    val=$(grep "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | cut -d " " -f 3)
+    if test "${val}" == "CK_FALSE"; then
+      mozsadistrust="%00"
+    else
+      mozsadistrust="UNKNOWN"
+    fi
+  elif test "${val}" == "MULTILINE_OCTAL"; then
+    mozsadistrust=`printf $(grep -A1 "CKA_NSS_SERVER_DISTRUST_AFTER" "${1}" | tail -n1)`
+  else
+    mozsadistrust="UNKNOWN"
+  fi
+
+  # EMAIL
+  val=$(grep "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | cut -d " " -f 2)
+  if test "${val}" == "CK_BBOOL"; then
+    val=$(grep "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | cut -d " " -f 3)
+    if test "${val}" == "CK_FALSE"; then
+      mozsmdistrust="%00"
+    else
+      mozsmdistrust="UNKNOWN"
+    fi
+  elif test "${val}" == "MULTILINE_OCTAL"; then
+    mozsmdistrust=`printf $(grep -A1 "CKA_NSS_EMAIL_DISTRUST_AFTER" "${1}" | tail -n1)`
+  else
+    mozsmdistrust="UNKNOWN"
+  fi
+  unset val
+}
+
 function convert_trust_arg(){
   case $1 in
     C)
@@ -441,6 +474,9 @@ function get_trust_values() {
   # Not currently included in NSS certdata.txt
   #catrust="$(convert_trust `grep '^CKA_TRUST_CLIENT_AUTH' ${1} | \
   #                cut -d " " -f 3`)"
+
+  # Determine distrust values
+  convert_moz_distrust ${1}
 }
 
 function get_p11_trust() {
@@ -483,6 +519,12 @@ function write_anchor() {
   echo "${p11trust}" >> "${anchorfile}"
   echo "nss-mozilla-ca-policy: ${moz_trust}" >> "${anchorfile}"
   echo "modifiable: false" >> "${anchorfile}"
+  if test "${mozsadistrust}" != "UNKNOWN"; then
+    echo "nss-server-distrust-after: \"${mozsadistrust}\"" >> "${anchorfile}"
+  fi
+  if test "${mozsmdistrust}" != "UNKNOWN"; then
+    echo "nss-email-distrust-after: \"${mozsmdistrust}\"" >> "${anchorfile}"
+  fi
   echo "${certcer}" >> "${anchorfile}"
   echo "${certtxt}" | sed 's@^@#@' >> "${anchorfile}"
   echo "Added to p11-kit anchor directory with trust '${satrust},${smtrust},${cstrust}'."
@@ -695,6 +737,7 @@ for tempfile in ${TEMPDIR}/certs/*.tmp; do
   # Clean up the directory and environment as we go
   rm -f tempfile.crt
   unset keyhash subject count
+  unset mozsadistrust mozsmdistrust
   unset trustlist rejectlist satrust smtrust cstrust catrust
   unset p11trust p11oid p11value trustp11 p11label anchrorfile moz_trust
 
@@ -783,6 +826,8 @@ if test -d "${LOCALDIR}"; then
     # Place certificate into trust anchors dir
     anchorfile="${DESTDIR}${ANCHORDIR}/${keyhash}.pem"
     moz_trust="false"
+    mozsadistrust="UNKNOWN"
+    mozsmdistrust="UNKNOWN"
     write_anchor
 
     # Generate working copy
@@ -799,6 +844,7 @@ if test -d "${LOCALDIR}"; then
     fi
 
     unset keyhash subject count
+    unset mozsadistrust mozsmdistrust
     unset trustlist rejectlist satrust smtrust cstrust catrust
     unset p11trust p11oid p11value trustp11 p11label anchorfile moz_trust
     echo -e "\n"