diff --git a/security/ca_root_nss/Makefile b/security/ca_root_nss/Makefile
--- a/security/ca_root_nss/Makefile
+++ b/security/ca_root_nss/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -17,8 +17,14 @@
 NO_ARCH=	yes
 WRKSRC_SUBDIR=	nss
 
+OPTIONS_DEFINE=		ETCSYMLINK
+OPTIONS_DEFAULT=	ETCSYMLINK
+
 OPTIONS_SUB=		yes
 
+ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
+ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*
+
 CERTDIR?=	share/certs
 PLIST_SUB+=	CERTDIR=${CERTDIR}
 
@@ -43,4 +49,8 @@
 	${MKDIR} ${STAGEDIR}${PREFIX}/openssl
 	${LN} -sf ../${CERTDIR}/ca-root-nss.crt ${STAGEDIR}${PREFIX}/openssl/cert.pem.sample
 
+do-install-ETCSYMLINK-on:
+	${MKDIR} ${STAGEDIR}/etc/ssl
+	${LN} -sf ../..${PREFIX}/${CERTDIR}/ca-root-nss.crt ${STAGEDIR}/etc/ssl/cert.pem
+
 .include <bsd.port.mk>
diff --git a/security/ca_root_nss/files/pkg-message.in b/security/ca_root_nss/files/pkg-message.in
--- a/security/ca_root_nss/files/pkg-message.in
+++ b/security/ca_root_nss/files/pkg-message.in
@@ -5,8 +5,19 @@
 whose certificates are included in this package have in any way been
 audited for trustworthiness or RFC 3647 compliance.
 
-Assessment and verification of trust is the complete responsibility of the
-system administrator.
+Assessment and verification of trust is the complete responsibility of
+the system administrator.
+
+This package installs symlinks to support root certificate discovery
+for software that either uses other cryptographic libraries than
+OpenSSL, or use OpenSSL but do not follow recommended practice.
+
+If you prefer to do this manually, replace the following symlinks with
+either an empty file or your site-local certificate bundle.
+
+  * /etc/ssl/cert.pem
+  * %%PREFIX%%/etc/ssl/cert.pem
+  * %%PREFIX%%/openssl/cert.pem
 EOM
 }
 ]
diff --git a/security/ca_root_nss/pkg-plist b/security/ca_root_nss/pkg-plist
--- a/security/ca_root_nss/pkg-plist
+++ b/security/ca_root_nss/pkg-plist
@@ -1,4 +1,7 @@
 %%CERTDIR%%/ca-root-nss.crt
+@sample etc/ssl/cert.pem.sample
+@sample openssl/cert.pem.sample
+%%ETCSYMLINK%%/etc/ssl/cert.pem
 @postexec certctl rehash
 @postunexec certctl rehash
 @postexec [ ! -e %%LOCALBASE%%/bin/cert-sync ] || %%LOCALBASE%%/bin/cert-sync --quiet %%PREFIX%%/share/certs/ca-root-nss.crt