diff --git a/ca-certificates-mozilla.changes b/ca-certificates-mozilla.changes
index d77c1be..c79e29a 100644
--- a/ca-certificates-mozilla.changes
+++ b/ca-certificates-mozilla.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Oct 25 12:40:36 UTC 2017 - jmatejek@suse.com
+
+- convert processing script to Python 3
+- ensure a stable conversion of UTF8 hex-encoded certificate names
+- ensure a stable ordering of trust/distrust bits in headers
+
 -------------------------------------------------------------------
 Tue Jan 24 12:46:29 UTC 2017 - meissner@suse.com
 
diff --git a/ca-certificates-mozilla.spec b/ca-certificates-mozilla.spec
index 3d91aec..6d2c7a4 100644
--- a/ca-certificates-mozilla.spec
+++ b/ca-certificates-mozilla.spec
@@ -21,7 +21,7 @@ BuildRequires:  p11-kit-devel
 
 BuildRequires:  ca-certificates
 BuildRequires:  openssl
-BuildRequires:  python
+BuildRequires:  python3-base
 
 Name:           ca-certificates-mozilla
 # Version number is NSS_BUILTINS_LIBRARY_VERSION in this file:
@@ -77,7 +77,8 @@ if [ "%{version}" != "$ver" ]; then
 fi
 
 %build
-python %{SOURCE10}
+export LANG=en_US.UTF-8
+python3 %{SOURCE10}
 
 %install
 mkdir -p %{buildroot}/%{trustdir_static}/anchors
diff --git a/certdata2pem.py b/certdata2pem.py
index 04cdfcc..baad801 100644
--- a/certdata2pem.py
+++ b/certdata2pem.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python
+#!/usr/bin/python3
 # vim:set et sw=4:
 #
 # certdata2pem.py - splits certdata.txt into multiple files
@@ -26,16 +26,16 @@ import os.path
 import re
 import sys
 import textwrap
-import urllib
+import urllib.parse
 
 objects = []
 
 def printable_serial(obj):
-  return ".".join(map(lambda x:str(ord(x)), obj['CKA_SERIAL_NUMBER']))
+  return ".".join([str(x) for x in obj['CKA_SERIAL_NUMBER']])
 
 # Dirty file parser.
 in_data, in_multiline, in_obj = False, False, False
-field, type, value, obj = None, None, None, dict()
+field, vtype, value, obj = None, None, None, dict()
 for line in open('certdata.txt', 'r'):
     # Ignore the file header.
     if not in_data:
@@ -55,10 +55,10 @@ for line in open('certdata.txt', 'r'):
         continue
     if in_multiline:
         if not line.startswith('END'):
-            if type == 'MULTILINE_OCTAL':
+            if vtype == 'MULTILINE_OCTAL':
                 line = line.strip()
-                for i in re.finditer(r'\\([0-3][0-7][0-7])', line):
-                    value += chr(int(i.group(1), 8))
+                numbers = [int(i.group(1), 8) for i in re.finditer(r'\\([0-3][0-7][0-7])', line)]
+                value += bytes(numbers)
             else:
                 value += line
             continue
@@ -69,19 +69,19 @@ for line in open('certdata.txt', 'r'):
         in_obj = True
     line_parts = line.strip().split(' ', 2)
     if len(line_parts) > 2:
-        field, type = line_parts[0:2]
+        field, vtype = line_parts[0:2]
         value = ' '.join(line_parts[2:])
     elif len(line_parts) == 2:
-        field, type = line_parts
+        field, vtype = line_parts
         value = None
     else:
-        raise NotImplementedError, 'line_parts < 2 not supported.\n' + line
-    if type == 'MULTILINE_OCTAL':
+        raise NotImplementedError('line_parts < 2 not supported.\n' + line)
+    if vtype == 'MULTILINE_OCTAL':
         in_multiline = True
-        value = ""
+        value = b""
         continue
     obj[field] = value
-if len(obj.items()) > 0:
+if obj:
     objects.append(obj)
 
 # Build up trust database.
@@ -91,7 +91,7 @@ for obj in objects:
         continue
     key = obj['CKA_LABEL'] + printable_serial(obj)
     trustmap[key] = obj
-    print " added trust", key
+    print(" added trust", key)
 
 # Build up cert database.
 certmap = dict()
@@ -100,7 +100,7 @@ for obj in objects:
         continue
     key = obj['CKA_LABEL'] + printable_serial(obj)
     certmap[key] = obj
-    print " added cert", key
+    print(" added cert", key)
 
 def obj_to_filename(obj):
     label = obj['CKA_LABEL'][1:-1]
@@ -109,7 +109,12 @@ def obj_to_filename(obj):
         .replace('(', '=')\
         .replace(')', '=')\
         .replace(',', '_')
-    label = re.sub(r'\\x[0-9a-fA-F]{2}', lambda m:chr(int(m.group(0)[2:], 16)), label)
+    # encode possible Unicode string to UTF8 bytes first
+    label = label.encode("utf8")
+    # decode hex escape sequences
+    label = re.sub(rb'\\x[0-9a-fA-F]{2}', lambda m:bytes([int(m.group(0)[2:], 16)]), label)
+    # read back UTF8 bytes
+    label = label.decode("utf8")
     serial = printable_serial(obj)
     return label + ":" + serial
 
@@ -142,17 +147,17 @@ openssl_trust = {
 for tobj in objects:
     if tobj['CKA_CLASS'] == 'CKO_NSS_TRUST':
         key = tobj['CKA_LABEL'] + printable_serial(tobj)
-        print "producing trust for " + key
+        print("producing trust for " + key)
         trustbits = []
         distrustbits = []
         openssl_trustflags = []
         openssl_distrustflags = []
-        for t in trust_types.keys():
-            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
+        for t in sorted(trust_types.keys()):
+            if t in tobj and tobj[t] == 'CKT_NSS_TRUSTED_DELEGATOR':
                 trustbits.append(t)
                 if t in openssl_trust:
                     openssl_trustflags.append(openssl_trust[t])
-            if tobj.has_key(t) and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
+            if t in tobj and tobj[t] == 'CKT_NSS_NOT_TRUSTED':
                 distrustbits.append(t)
                 if t in openssl_trust:
                     openssl_distrustflags.append(openssl_trust[t])
@@ -178,7 +183,7 @@ for tobj in objects:
             if openssl_distrustflags:
                 f.write("# openssl-distrust=" + " ".join(openssl_distrustflags) + "\n")
             f.write("-----BEGIN CERTIFICATE-----\n")
-            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']), 64)))
+            f.write("\n".join(textwrap.wrap(base64.b64encode(obj['CKA_VALUE']).decode("ascii"), 64)))
             f.write("\n-----END CERTIFICATE-----\n")
         else:
             f.write("[p11-kit-object-v1]\n")
@@ -188,12 +193,12 @@ for tobj in objects:
             f.write("class: certificate\n")
             f.write("certificate-type: x-509\n")
             f.write("issuer: \"");
-            f.write(urllib.quote(tobj['CKA_ISSUER']));
+            f.write(urllib.parse.quote(tobj['CKA_ISSUER']));
             f.write("\"\n")
             f.write("serial-number: \"");
-            f.write(urllib.quote(tobj['CKA_SERIAL_NUMBER']));
+            f.write(urllib.parse.quote(tobj['CKA_SERIAL_NUMBER']));
             f.write("\"\n")
             if (tobj['CKA_TRUST_SERVER_AUTH'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_EMAIL_PROTECTION'] == 'CKT_NSS_NOT_TRUSTED') or (tobj['CKA_TRUST_CODE_SIGNING'] == 'CKT_NSS_NOT_TRUSTED'):
               f.write("x-distrusted: true\n")
             f.write("\n\n")
-        print " -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags)
+        print(" -> written as '%s', trust = %s, openssl-trust = %s, distrust = %s, openssl-distrust = %s" % (fname, trustbits, openssl_trustflags, distrustbits, openssl_distrustflags))