diff --git a/.github/workflows/kryoptic.yml b/.github/workflows/kryoptic.yml
index 664047ac..02ad84f8 100644
--- a/.github/workflows/kryoptic.yml
+++ b/.github/workflows/kryoptic.yml
@@ -75,8 +75,8 @@ jobs:
       - name: Build Kryoptic
         run: |
           cd kryoptic
-          cargo build --features standard
-          cargo test --features standard | tee testout.log 2>&1
+          cargo build --features standard,nssdb
+          cargo test --features standard,nssdb | tee testout.log 2>&1
           grep -q "0 failed" testout.log
 
       - name: Setup
diff --git a/tests/kryoptic-init.sh b/tests/kryoptic-init.sh
index 346ecd0f..705ba8a7 100755
--- a/tests/kryoptic-init.sh
+++ b/tests/kryoptic-init.sh
@@ -27,10 +27,10 @@ find_kryoptic \
 title LINE "Creating Kyroptic database"
 
 # Kryoptic configuration
-export KRYOPTIC_CONF="$TOKDIR/kryoptic.sql"
+export KRYOPTIC_CONF="${KRYOPTIC_CONF:-$TOKDIR/kryoptic.sql}"
 
-export TOKENLABEL="Kryoptic Token"
-export TOKENLABELURI="Kryoptic%20Token"
+export TOKENLABEL="${TOKENLABEL:-Kryoptic Token}"
+export TOKENLABELURI="${TOKENLABELURI:-Kryoptic%20Token}"
 
 # init token
 pkcs11-tool --module "${P11LIB}" --init-token \
diff --git a/tests/kryoptic.nss-init.sh b/tests/kryoptic.nss-init.sh
new file mode 100644
index 00000000..14c00320
--- /dev/null
+++ b/tests/kryoptic.nss-init.sh
@@ -0,0 +1,27 @@
+#!/bin/bash -ex
+# Copyright (C) 2024 Jakub Jelen <jjelen@redhat.com>
+# SPDX-License-Identifier: Apache-2.0
+#
+
+export KRYOPTIC_CONF="${TMPPDIR}/kryoptic.conf"
+cat >"${KRYOPTIC_CONF}" <<_EOF
+[[slots]]
+slot = 42
+dbtype = "nssdb"
+dbargs = "configDir='${TOKDIR}' flags='passwordRequired'"
+description = "Kryoptic Soft Token"
+_EOF
+# flags='passwordRequired' is needed for p11tool to do login before the
+# search for private objects, otherwise the set up fails.
+
+# this overrides what we define in the generic init
+# the NSS DB can not store custom labels
+export TOKENLABEL="Kryoptic Soft Token"
+export TOKENLABELURI="Kryoptic%20Soft%20Token"
+
+# the rest is the same
+source "${TESTSSRCDIR}/kryoptic-init.sh"
+
+export TOKENCONFIGVARS="export KRYOPTIC_CONF=${TMPPDIR}/kryoptic.conf"
+export TOKENOPTIONS="pkcs11-module-quirks = no-allowed-mechanisms"
+export TESTPORT="36000"
diff --git a/tests/meson.build b/tests/meson.build
index 3c640638..abbdaa62 100644
--- a/tests/meson.build
+++ b/tests/meson.build
@@ -31,7 +31,7 @@ if nss_softokn.found()
 endif
 
 setup_script=find_program('setup.sh')
-foreach suite : ['softokn', 'softhsm', 'kryoptic']
+foreach suite : ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']
   test(
     'setup',
     setup_script,
@@ -118,29 +118,29 @@ foreach t, sources : test_programs
 endforeach
 
 tests = {
-  'basic': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'pubkey': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'certs': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'ecc': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'edwards': {'suites': ['softhsm', 'kryoptic']},
-  'ecdh': {'suites': ['softokn', 'kryoptic']},
-  'democa': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false},
-  'digest': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'fork': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'oaepsha2': {'suites': ['softokn', 'kryoptic']},
-  'hkdf': {'suites': ['softokn', 'kryoptic']},
-  'imported' : {'suites': ['softokn', 'kryoptic']},
-  'rsapss': {'suites': ['softokn', 'softhsm', 'kryoptic']},
+  'basic': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'pubkey': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'certs': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'ecc': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'edwards': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
+  'ecdh': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
+  'democa': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss'], 'is_parallel': false},
+  'digest': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'fork': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'oaepsha2': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
+  'hkdf': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
+  'imported' : {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
+  'rsapss': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
   'rsapssam': {'suites': ['softhsm']},
-  'genkey': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'session': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'rand': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'readkeys': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'tls': {'suites': ['softokn', 'softhsm', 'kryoptic'], 'is_parallel': false},
-  'tlsfuzzer': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'uri': {'suites': ['softokn', 'softhsm', 'kryoptic']},
-  'ecxc': {'suites': ['softhsm', 'kryoptic']},
-  'cms': {'suites': ['softokn', 'kryoptic']},
+  'genkey': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'session': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'rand': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'readkeys': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'tls': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss'], 'is_parallel': false},
+  'tlsfuzzer': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'uri': {'suites': ['softokn', 'softhsm', 'kryoptic', 'kryoptic.nss']},
+  'ecxc': {'suites': ['softhsm', 'kryoptic', 'kryoptic.nss']},
+  'cms': {'suites': ['softokn', 'kryoptic', 'kryoptic.nss']},
   'pinlock': {'suites': ['kryoptic']},
 }
 
@@ -157,6 +157,7 @@ foreach t, extra_args : tests
       env: test_env,
       depends: test_executables,
       is_parallel: false,
+      timeout: 60,
     )
   endforeach
 endforeach
diff --git a/tests/setup.sh b/tests/setup.sh
index 900cc202..9cbd9292 100755
--- a/tests/setup.sh
+++ b/tests/setup.sh
@@ -31,6 +31,8 @@ elif [ "${TOKENTYPE}" == "softokn" ]; then
     source "${TESTSSRCDIR}/softokn-init.sh"
 elif [ "${TOKENTYPE}" == "kryoptic" ]; then
     source "${TESTSSRCDIR}/kryoptic-init.sh"
+elif [ "${TOKENTYPE}" == "kryoptic.nss" ]; then
+    source "${TESTSSRCDIR}/kryoptic.nss-init.sh"
 else
     echo "Unknown token type: $1"
     exit 1
diff --git a/tests/turi b/tests/turi
index f9224e57..872dc412 100755
--- a/tests/turi
+++ b/tests/turi
@@ -14,7 +14,7 @@ if [ $FAIL -ne 0 ]; then
     exit 1
 fi
 
-URISonly=$(echo "$helper_output" | grep "^URI")
+URISonly=$(echo "$helper_output" | grep "^URI pkcs11:")
 # poor mans mapfile for bash 3 on macos
 declare -a URIS
 while read -r var; do