I want to be able to load trusted root CA certs and valid (but not trusted) intermediate CA certs. NSS requires an unbroken CA chain up to a root in order to validate a cert, and some SSL apps don't always send a CA chain along with their end user cert. I therefore pre-load some of the known intermediate CAs I know will be issuing certs to such apps.
-- POC
