Index: usr.sbin/etcupdate/etcupdate.sh
===================================================================
--- usr.sbin/etcupdate/etcupdate.sh
+++ usr.sbin/etcupdate/etcupdate.sh
@@ -595,6 +595,13 @@
 				NEWALIAS_WARN=yes
 			fi
 			;;
+		/usr/share/certs/trusted/*)
+		/usr/share/certs/blacklisted/*)
+			log "certctl rehash"
+			if [ -z "$dryrun" ]; then
+				env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1
+			fi
+			;;
 		/etc/login.conf)
 			log "cap_mkdb ${DESTDIR}$1"
 			if [ -z "$dryrun" ]; then
Index: usr.sbin/mergemaster/mergemaster.sh
===================================================================
--- usr.sbin/mergemaster/mergemaster.sh
+++ usr.sbin/mergemaster/mergemaster.sh
@@ -883,6 +883,10 @@
     /etc/mail/aliases)
       NEED_NEWALIASES=yes
       ;;
+    /usr/share/certs/trusted/*)
+    /usr/share/certs/blacklisted/*)
+      NEED_CERTCTL=yes
+      ;;
     /etc/login.conf)
       NEED_CAP_MKDB=yes
       ;;
@@ -1355,6 +1359,23 @@
   ;;
 esac
 
+case "${NEED_CERTCTL}" in
+'') ;;
+*)
+  echo ''
+  echo "*** You installed files in /etc/ssl/certs, so make sure that you run"
+  if [ -n "${DESTDIR}" ]; then
+    echo "    'env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash'"
+    echo "     to rebuild your certificate authority database"
+    run_it_now "env DESTDIR=${DESTDIR} /usr/sbin/certctl rehash"
+  else
+    echo "    '/usr/sbin/certctl rehash'"
+    echo "     to rebuild your certificate authority database"
+    run_it_now "/usr/sbin/certctl rehash"
+  fi
+  ;;
+esac
+
 if [ -e "${DESTDIR}/etc/localtime" -a ! -L "${DESTDIR}/etc/localtime" -a -z "${PRE_WORLD}" ]; then	# Ignore if TZ == UTC
   echo ''
   [ -n "${DESTDIR}" ] && tzs_args="-C ${DESTDIR}"