If you are using an enterprise domain, which is the principle way you'd end up using NSS, then the certutil equivalent of the keytool command would be:
certutil -D -d <path to DAS domain/config directory> -n verisignserverca
you should be prompted for the domain's master password.
You should, of course, shutdown the domain, and take a backup of the cert8.db/key3.db/secmod.db files prior to doing this.
Shutting down any node agents and restarting them with --syncinstances=true (for 9.1/2.x) should result in the changed files being sync'd to all the other instances in the domain.
The message is just a warning, and shouldn't impact the function of the domain - the domain's own certificate is self-signed and doesn't rely on the verisign certificate at all.
[Message sent by forum member 'tecknobabble' (steve.essery_at_sun.com)]
http://forums.java.net/jive/thread.jspa?messageID=380304