diff --git a/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java b/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
index de188614a..dd4626284 100644
--- a/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
+++ b/base/src/main/java/org/mozilla/jss/provider/javax/crypto/JSSTrustManager.java
@@ -59,13 +59,36 @@ public void checkCertChain(X509Certificate[] certChain, String keyUsage) throws
             logger.debug("JSSTrustManager:  - " + cert.getSubjectX500Principal());
         }
 
-        checkIssuerTrusted(certChain);
+        if (!isTrustedPeer(certChain)) {
+            checkIssuerTrusted(certChain);
+        }
 
         checkValidityDates(certChain);
 
         checkKeyUsage(certChain, keyUsage);
     }
 
+    public boolean isTrustedPeer(X509Certificate[] certChain) throws Exception {
+
+        // checking trust flags on leaf cert only
+        X509Certificate leafCert = certChain[certChain.length - 1];
+        logger.debug("JSSTrustManager: Checking trust flags of cert 0x" + leafCert.getSerialNumber().toString(16));
+
+        if (! (leafCert instanceof org.mozilla.jss.crypto.X509Certificate)) {
+            return false;
+        }
+
+        org.mozilla.jss.crypto.X509Certificate jssCert = (org.mozilla.jss.crypto.X509Certificate) leafCert;
+
+        String trustFlags = jssCert.getTrustFlags();
+        logger.debug("JSSTrustManager: - trust flags: " + trustFlags);
+
+        int sslTrust = jssCert.getSSLTrust();
+        return org.mozilla.jss.crypto.X509Certificate.isTrustFlagEnabled(
+                org.mozilla.jss.crypto.X509Certificate.TRUSTED_PEER,
+                sslTrust);
+    }
+
     public void checkIssuerTrusted(X509Certificate[] certChain) throws Exception {
 
         // get CA certs