diff --git a/debian/changelog b/debian/changelog
index 7732610..b6b7073 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ca-certificates (20160104) unstable; urgency=medium
+
+  * debian/rules:
+    Sort certificate list for reproducible builds.  Closes: #808711
+  * mozilla/certdata2pem.py:
+    Drop old CK*_NETSCAPE trust flag checks
+
+ -- Michael Shuler <michael@pbandjelly.org>  Mon, 04 Jan 2016 11:08:26 -0600
+
 ca-certificates (20151214) unstable; urgency=medium
 
   * Removed SPI CA.  Closes: #796208
diff --git a/debian/rules b/debian/rules
index ddd7cee..fd4632b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -44,7 +44,7 @@ install: build
 	$(MAKE) install DESTDIR=$(CURDIR)/debian/ca-certificates
 	(cd $(CURDIR)/debian/ca-certificates/usr/share/ca-certificates; \
 	 crts=""; \
-	 for crt in $$(find . -type f -name '*.crt' -print); \
+	 for crt in $$(find . -type f -name '*.crt' -print | LC_ALL=C sort); \
 	 do \
 	   crt=$$(echo $$crt | sed -e 's/\.\///'); \
 	   if test "$$crts" = ""; then \
diff --git a/mozilla/certdata2pem.py b/mozilla/certdata2pem.py
index 7bd4d2d..f91422b 100644
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -98,18 +98,15 @@ if os.path.exists('blacklist.txt'):
 # Build up trust database.
 trust = dict()
 for obj in objects:
-    if obj['CKA_CLASS'] not in ('CKO_NETSCAPE_TRUST', 'CKO_NSS_TRUST'):
+    if obj['CKA_CLASS'] != 'CKO_NSS_TRUST':
         continue
     if obj['CKA_LABEL'] in blacklist:
         print("Certificate %s blacklisted, ignoring." % obj['CKA_LABEL'])
-    elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
-                                          'CKT_NSS_TRUSTED_DELEGATOR'):
+    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_TRUSTED_DELEGATOR':
         trust[obj['CKA_LABEL']] = True
-    elif obj['CKA_TRUST_EMAIL_PROTECTION'] in ('CKT_NETSCAPE_TRUSTED_DELEGATOR',
-                                               'CKT_NSS_TRUSTED_DELEGATOR'):
+    elif obj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_TRUSTED_DELEGATOR':
         trust[obj['CKA_LABEL']] = True
-    elif obj['CKA_TRUST_SERVER_AUTH'] in ('CKT_NETSCAPE_UNTRUSTED',
-                                          'CKT_NSS_NOT_TRUSTED'):
+    elif obj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED':
         print('!'*74)
         print("UNTRUSTED BUT NOT BLACKLISTED CERTIFICATE FOUND: %s" % obj['CKA_LABEL'])
         print('!'*74)