Index: usr.sbin/freebsd-update/freebsd-update.sh
===================================================================
--- usr.sbin/freebsd-update/freebsd-update.sh
+++ usr.sbin/freebsd-update/freebsd-update.sh
@@ -2844,6 +2844,35 @@
 	    done
 }
 
+
+install_check_certs() {
+	# Check first if we have any new certs
+	if grep -qE -m 1 -e '^/usr/share/certs/(trusted|blacklisted)' $2; then
+		return 0
+	fi
+
+	# Generate list of new files
+	cut -f 1 -d '|' < $2 |
+	    sort > newfiles
+
+	# Generate subindex of old files we want to nuke
+	sort -k 1,1 -t '|' $1 |
+	    join -t '|' -v 1 - newfiles |
+	    sort -r -k 1,1 -t '|' |
+	    cut -f 1,2 -d '|' |
+	    tr '|' ' ' > killfiles
+
+	rm newfiles
+	status=1
+	# Any certs going away? This should trigger a rehash as well.
+	if grep -qE -m 1 -e '^/usr/share/certs/(trusted|blacklisted)' killfiles; then
+		status=0
+	fi
+
+	rm killfiles
+	return $status
+}
+
 # Remove files which we want to delete
 install_delete () {
 	# Generate list of new files
@@ -2944,6 +2973,10 @@
 		install_from_index INDEX-NEW || return 1
 		install_delete INDEX-OLD INDEX-NEW || return 1
 
+		if install_check_certs $1/INDEX-OLD $1/INDEX-NEW; then
+			env DESTDIR=${BASEDIR} certctl rehash
+		fi
+
 		# Rebuild generated pwd files.
 		if [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/spwd.db ] ||
 		    [ ${BASEDIR}/etc/master.passwd -nt ${BASEDIR}/etc/pwd.db ] ||