diff --git a/nss-moz1458518.patch b/nss-moz1458518.patch
new file mode 100644
index 0000000..516d756
--- /dev/null
+++ b/nss-moz1458518.patch
@@ -0,0 +1,33 @@
+
+# HG changeset patch
+# User Robert Relyea <rrelyea@redhat.com>
+# Date 1525268789 -7200
+# Node ID 2f1ee2b8f7a65ecae1a84c02dcf0167ce3b57ab4
+# Parent  5a210945d2486d6443556ec578b22c05949e1049
+Bug 1458518, Nicknames of existing certificates in NSS SQL DB should remain unchanged on repeated import attempts, r=kaie
+
+diff --git a/lib/dev/devtoken.c b/lib/dev/devtoken.c
+--- a/lib/dev/devtoken.c
++++ b/lib/dev/devtoken.c
+@@ -523,17 +523,19 @@ nssToken_ImportCertificate(
+         }
+         /* according to PKCS#11, label, ID, issuer, and serial number
+          * may change after the object has been created.  For PKIX, the
+          * last two attributes can't change, so for now we'll only worry
+          * about the first two.
+          */
+         NSS_CK_TEMPLATE_START(cert_tmpl, attr, ctsize);
+         NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_ID, id);
+-        NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
++        if (!rvObject->label && nickname) {
++            NSS_CK_SET_ATTRIBUTE_UTF8(attr, CKA_LABEL, nickname);
++        }
+         NSS_CK_TEMPLATE_FINISH(cert_tmpl, attr, ctsize);
+         /* reset the mutable attributes on the token */
+         nssCKObject_SetAttributes(rvObject->handle,
+                                   cert_tmpl, ctsize,
+                                   session, slot);
+         if (!rvObject->label && nickname) {
+             rvObject->label = nssUTF8_Duplicate(nickname, NULL);
+         }
+
diff --git a/nss.spec b/nss.spec
index fe9c64b..8604242 100644
--- a/nss.spec
+++ b/nss.spec
@@ -9,7 +9,7 @@ Name:             nss
 Version:          3.36.1
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          1.0%{?dist}
+Release:          1.1%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -89,6 +89,8 @@ Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
 Patch62: nss-skip-util-gtest.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1458518
+Patch63: nss-moz1458518.patch
 
 %description
 Network Security Services (NSS) is a set of libraries designed to
@@ -171,6 +173,7 @@ low level services.
 pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch62 -p1 -b .skip_util_gtest
+%patch63 -p1 -b .moz1458518
 popd
 
 #########################################################
@@ -744,7 +747,11 @@ done
 
 
 %changelog
-* Wed Apr 11 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-2
+* Wed May 02 2018 Kai Engert <kaie@redhat.com> - 3.36.1-1.1
+- Upstream patch to keep nicknames stable on repeated certificate
+  import into SQL DB, mozbz#1458518
+
+* Wed Apr 11 2018 Daiki Ueno <dueno@redhat.com> - 3.36.1-1.0
 - Update to NSS 3.36.1
 - Remove nss-3.14.0.0-disble-ocsp-test.patch
 - Fix partial injection of LDFLAGS