Index: usr.sbin/etcupdate/etcupdate.sh
===================================================================
--- usr.sbin/etcupdate/etcupdate.sh
+++ usr.sbin/etcupdate/etcupdate.sh
@@ -595,6 +595,18 @@
 				NEWALIAS_WARN=yes
 			fi
 			;;
+		/usr/share/certs/trusted/*)
+		/usr/share/certs/blacklisted/*)
+			# only works for an empty DESTDIR.
+			if [ -z "$DESTDIR" ]; then
+				log "certctl rehash"
+				if [ -z "$dryrun" ]; then
+					certctl rehash >&3 2>&1
+				fi
+			else
+				CERTCTL_WARN=yes
+			fi
+			;;
 		/etc/login.conf)
 			log "cap_mkdb ${DESTDIR}$1"
 			if [ -z "$dryrun" ]; then
@@ -1388,6 +1400,14 @@
 		echo "  Needs update: /etc/mail/aliases.db" \
 		    "(requires manual update via newaliases(1))"
 	fi
+	if [ -n "$CERTCTL_WARN" ]; then
+		warn "Needs update: /etc/ssl/certs" \
+		    "(requires manual update via certctl(8))"
+		echo
+		echo "Warnings:"
+		echo "  Needs update: /etc/ssl/certs" \
+		    "(requires manual update via certctl(8))"
+	fi
 }
 
 # Report a summary of the previous merge.  Specifically, list any
@@ -1552,6 +1572,10 @@
 	if [ -n "$NEWALIAS_WARN" ]; then
 		warn "Needs update: /etc/mail/aliases.db" \
 		    "(requires manual update via newaliases(1))"
+	fi
+	if [ -n "$CERTCTL_WARN" ]; then
+		warn "Needs update: /etc/ssl/certs" \
+		    "(requires manual update via certctl(8))"
 	fi
 
 	# Run any special one-off commands after an update has completed.
Index: usr.sbin/mergemaster/mergemaster.sh
===================================================================
--- usr.sbin/mergemaster/mergemaster.sh
+++ usr.sbin/mergemaster/mergemaster.sh
@@ -883,6 +883,10 @@
     /etc/mail/aliases)
       NEED_NEWALIASES=yes
       ;;
+    /usr/share/certs/trusted/*)
+    /usr/share/certs/blacklisted/*)
+      NEED_CERTCTL=yes
+      ;;
     /etc/login.conf)
       NEED_CAP_MKDB=yes
       ;;
@@ -1351,6 +1355,23 @@
     echo "    '/usr/sbin/pwd_mkdb -p /etc/master.passwd'"
     echo "     to rebuild your password files"
     run_it_now '/usr/sbin/pwd_mkdb -p /etc/master.passwd'
+  fi
+  ;;
+esac
+
+case "${NEED_CERTCTL}" in
+'') ;;
+*)
+  echo ''
+  echo "*** You installed files in /etc/ssl/certs, so make sure that you run"
+  if [ -n "${DESTDIR}" ]; then
+    echo "*** You installed new certiticates into ${DESTDIR}/etc/ssl/certs, but"
+    echo "    the certctl(8) command does not support DESTDIR."
+    echo "    run 'certctl rehash' by hand."
+  else
+    echo "    '/usr/sbin/certctl rehash'"
+    echo "     to rebuild your certificate authority database"
+    run_it_now "/usr/sbin/certctl rehash"
   fi
   ;;
 esac