diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -17,14 +17,8 @@
 NO_ARCH=	yes
 WRKSRC_SUBDIR=	nss
 
-OPTIONS_DEFINE=		ETCSYMLINK
-OPTIONS_DEFAULT=	ETCSYMLINK
-
 OPTIONS_SUB=		yes
 
-ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
-ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*
-
 CERTDIR?=	share/certs
 PLIST_SUB+=	CERTDIR=${CERTDIR}
 
@@ -49,8 +43,4 @@
 	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
 	${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
 
-do-install-ETCSYMLINK-on:
-	${MKDIR} ${STAGEDIR}/etc/ssl
-	${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
-
 .include <bsd.port.mk>
diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in
--- a/security/ca_root_nss/files/pkg-message.in
+++ b/security/ca_root_nss/files/pkg-message.in
@@ -7,20 +7,6 @@
 
 Assessment and verification of trust is the complete responsibility of the
 system administrator.
-
-
-This package installs symlinks to support root certificates discovery by
-default for software that uses OpenSSL.
-
-This enables SSL Certificate Verification by client software without manual
-intervention.
-
-If you prefer to do this manually, replace the following symlinks with
-either an empty file or your site-local certificate bundle.
-
-  * /etc/ssl/cert.pem
-  * %%PREFIX%%/etc/ssl/cert.pem
-  * %%PREFIX%%/openssl/cert.pem
 EOM
 }
 ]
diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist
--- a/security/ca_root_nss/pkg-plist
+++ b/security/ca_root_nss/pkg-plist
@@ -1,6 +1,4 @@
 %%CERTDIR%%/ca-root-nss.crt
-@sample etc/ssl/cert.pem.sample
-@sample openssl/cert.pem.sample
-%%ETCSYMLINK%%/etc/ssl/cert.pem
-%%ETCSYMLINK%%@dir /etc/ssl
+@postexec certctl rehash
+@postunexec certctl rehash
 @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt