diff --git a/NameConstraints.ipaca.cert b/NameConstraints.ipaca.cert
new file mode 100644
index 0000000000000000000000000000000000000000..4a451f3429d25ab6d3a9cb00b2f005118f7cac08
Binary files /dev/null and b/NameConstraints.ipaca.cert differ
diff --git a/NameConstraints.ocsp1.cert b/NameConstraints.ocsp1.cert
new file mode 100644
index 0000000000000000000000000000000000000000..817faafe3d2b5cd197a5c1dbeaf1db48ff37e689
Binary files /dev/null and b/NameConstraints.ocsp1.cert differ
diff --git a/nss.spec b/nss.spec
index 3f000bc8a56d770f0485652f10d0153b47a9ddce..f47c185b9571f29f38ab659781b734d63b090285 100644
--- a/nss.spec
+++ b/nss.spec
@@ -1,3 +1,4 @@
+%define anolis_release .0.1
 %global nspr_build_version 4.25.0
 %global nspr_version 4.25.0
 %global nss_version 3.67.0
@@ -47,7 +48,7 @@ rpm.define(string.format("nss_release_tag NSS_%s_RTM",
 Summary:          Network Security Services
 Name:             nss
 Version:          %{nss_version}
-Release:          7%{?dist}
+Release:          7%{anolis_release}%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Requires:         nspr >= %{nspr_version}
@@ -94,6 +95,8 @@ Source26:         key4.db.xml
 Source27:         secmod.db.xml
 Source28:         nss-p11-kit.config
 Source30:         PayPalEE.cert
+Source31:         NameConstraints.ipaca.cert
+Source32:         NameConstraints.ocsp1.cert
 
 # To inject hardening flags for DSO
 Patch1:           nss-dso-ldflags.patch
@@ -161,7 +164,6 @@ Patch300:         nss-3.67-cve-2021-43527.patch
 Patch301:         nss-3.67-cve-2021-43527-test.patch
 
 
-
 %description
 Network Security Services (NSS) is a set of libraries designed to
 support cross-platform development of security-enabled client and
@@ -290,6 +292,8 @@ Header and library files for doing development with Network Security Services.
 %prep
 %autosetup -N -n %{name}-%{nss_archive_version}
 pushd nss
+cp -a %{SOURCE31} tests/libpkix/certs/
+cp -a %{SOURCE32} tests/libpkix/certs/
 %autopatch -p1
 popd
 
@@ -932,6 +936,9 @@ update-crypto-policies --no-reload &> /dev/null || :
 
 
 %changelog
+* Mon Dec 6 2021 Liwei Ge <geliwei@openanolis.org> - 3.67.0-7.0.1
+- Renew two chains libpkix test certificates
+
 * Thu Nov 18 2021 Bob Relyea <rrelyea@redhat.com> - 3.67.0-7
 - Fix CVE 2021 43527