With the inclusion of caroot bits, we'll need to also rehash on update as we do in mergemaster/etcupdate. It's not clear to me if this is sufficient and it hasn't been tested, so may eat your grapes, etc. etc...
Sorry, this took a little longer to circle back to than I'd like -- it looks like what I really wanted to do was rehash if /usr/local/certs/* files either disappeared between INDEX-OLD and INDEX-NEW or just appeared in INDEX-NEW.
I think this should probably use the logic from install_delete, then check killfiles and INDEX-NEW for cert changes.
Take #2; still know very little about freebsd-update. =-)
Refactored the check for whether we need to rehash out into another function. First we check INDEX-NEW because this will trivially tell us if we've had any new certs or cert modifications (as far as I understand what the index is composed of), then we check if any certs have been removed.