Index: usr.sbin/certctl/certctl.sh
===================================================================
--- usr.sbin/certctl/certctl.sh
+++ usr.sbin/certctl/certctl.sh
@@ -56,31 +56,56 @@
 	fi
 }
 
+get_decimal()
+{
+	local checkdir hash serial
+
+	checkdir=$1
+	hash=$2
+	prefix=$3
+	serial=0
+
+	while [ -e "$checkdir/$hash.$prefix$serial" ]; do
+		serial=$((serial + 1))
+	done
+
+	echo ${serial}
+	return 0
+}
+
 create_trusted_link()
 {
 	local hash
+	local serial
 
 	hash=$( do_hash "$1" ) || return
+	# XXX Should look at $hash.[0-9] and compare
 	if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then
 		echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)"
 		return 1
 	fi
-	[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
-	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0"
+	suffix=$(get_decimal "$CERTDESTDIR" "$hash")
+	[ $VERBOSE -gt 0 ] && echo "Adding $hash.$suffix to trust store"
+	[ $NOOP -eq 0 ] && \
+		install ${INSTALLFLAGS} -lrs $(realpath "$1") "$CERTDESTDIR/$hash.$suffix"
 }
 
 create_blacklisted()
 {
 	local hash srcfile filename
+	local serial
 
 	# If it exists as a file, we'll try that; otherwise, we'll scan
 	if [ -e "$1" ]; then
 		hash=$( do_hash "$1" ) || return
 		srcfile=$(realpath "$1")
-		filename="$hash.0"
+		suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash" "r")
+		filename="$hash.r$suffix"
 	elif [ -e "${CERTDESTDIR}/$1" ];  then
 		srcfile=$(realpath "${CERTDESTDIR}/$1")
-		filename="$1"
+		hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//')
+		suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash" "r")
+		filename="$hash.r$suffix"
 	else
 		return
 	fi
@@ -180,6 +205,7 @@
 	for BFILE in "$@"; do
 		if [ -s "$BFILE" ]; then
 			hash=$( do_hash "$BFILE" )
+			# XXX .0?
 			echo "Removing $hash.0 from blacklist"
 			[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0"
 		elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then