Index: usr.sbin/certctl/certctl.sh
===================================================================
--- usr.sbin/certctl/certctl.sh
+++ usr.sbin/certctl/certctl.sh
@@ -36,6 +36,7 @@
 ############################################################ GLOBALS
 
 SCRIPTNAME="${0##*/}"
+CHANGES=0
 ERRORS=0
 NOOP=0
 UNPRIV=0
@@ -152,7 +153,10 @@
 
 	# Install the entirety of the file as-is here, so that we don't risk a
 	# broken symlink removing the entry.
-	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} "${srcfile}" "${BLACKLISTDESTDIR}"
+	if [ $NOOP -eq 0 ]; then
+		install ${INSTALLFLAGS} "${srcfile}" "${BLACKLISTDESTDIR}"
+		CHANGES=$(( ${CHANGES} + 1 ))
+	fi
 }
 
 remove_blacklisted()
@@ -181,7 +185,10 @@
 			blisthash=$( openssl x509 -sha256 -in "${blistpath}/${blistfile}" -noout -fingerprint )
 			if [ "${certhash}" = "${blisthash}" ]; then
 				echo "Removing ${blistpath}/${blistfile}"
-				[ $NOOP -eq 0 ] && rm -f "${blistpath}/${blistfile}"
+				if [ $NOOP -eq 0 ]; then
+					rm -f "${blistpath}/${blistfile}"
+					CHANGES=$(( ${CHANGES} + 1 ))
+				fi
 			fi
 		done
 	done
@@ -270,6 +277,12 @@
 		echo "Adding $BFILE to blacklist"
 		add_blacklisted "$BFILE"
 	done
+
+	# Trigger a rehash if we successfully blacklisted any cert.
+	if [ "${CHANGES}" -gt 0 ]; then
+		echo "Triggering rehash after changes..."
+		cmd_rehash
+	fi
 }
 
 cmd_unblacklist()
@@ -280,6 +293,12 @@
 	for BFILE in "$@"; do
 		remove_blacklisted "$BFILE"
 	done
+
+	# Trigger a rehash if we successfully blacklisted any cert.
+	if [ "${CHANGES}" -gt 0 ]; then
+		echo "Triggering rehash after changes..."
+		cmd_rehash
+	fi
 }
 
 blacklist_formatter()