diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8
--- a/usr.sbin/certctl/certctl.8
+++ b/usr.sbin/certctl/certctl.8
@@ -26,7 +26,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd July 13, 2022
+.Dd February 3 2023
 .Dt CERTCTL 8
 .Os
 .Sh NAME
@@ -91,6 +91,9 @@
 .Ev UNTRUSTDESTDIR .
 .It Ic untrust
 Add the specified file to the untrusted list.
+If the file was in a
+.Ev TRUSTPATH ,
+it will be removed from there.
 .It Ic trust
 Remove the specified file from the untrusted list.
 .El
diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -127,8 +127,18 @@
 		return
 	fi
 
+	filesdir=$(dirname "$filename")
+
 	[ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list"
 	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename"
+
+	case :$TRUSTPATH: in
+	*:$filesdir:*)
+		[ $VERBOSE -gt 0 ] && echo "Deleting $filename from trusted certificates"
+		[ $NOOP -eq 0 ] && rm -f "$srcfile"
+		;;
+	*) ;; # not trusted
+	esac
 }
 
 do_scan()