--- Makefile.orig	2017-06-11 13:20:07.000000000 -0500
+++ Makefile	2017-07-05 08:30:27.514516000 -0500
@@ -2,6 +2,7 @@
 
 PORTNAME=	ca_root_nss
 PORTVERSION=	${VERSION_NSS}
+PORTREVISION=   1
 CATEGORIES=	security
 MASTER_SITES=	MOZILLA/security/nss/releases/${DISTNAME:tu:C/[-.]/_/g}_RTM/src
 DISTNAME=	nss-${VERSION_NSS}${NSS_SUFFIX}
@@ -11,13 +12,14 @@
 
 LICENSE=	MPL
 
-OPTIONS_DEFINE=		ETCSYMLINK
+OPTIONS_DEFINE=		ETCSYMLINK NODUPS
 OPTIONS_DEFAULT=	ETCSYMLINK
 
 OPTIONS_SUB=		yes
 
 ETCSYMLINK_DESC=	Add symlink to /etc/ssl/cert.pem
 ETCSYMLINK_CONFLICTS_INSTALL=	ca-roots-[0-9]*
+NODUPS_DESC=    No subject duplicate certificates (use highest serial)
 
 USES=		perl5 ssl:build
 USE_PERL5=	build
@@ -42,6 +44,10 @@
 
 .include <bsd.port.options.mk>
 
+.if ${PORT_OPTIONS:MNODUPS}
+NODUPS_CONFIGURE_ON=true
+.endif
+
 do-extract:
 	@${MKDIR} ${WRKDIR}
 	@${TAR} -C ${WRKDIR} -xf ${DISTDIR}/nss-${VERSION_NSS}${NSS_SUFFIX}${EXTRACT_SUFX} \
@@ -50,7 +56,7 @@
 	@${RM} -r ${WRKDIR}/nss-${VERSION_NSS}
 
 do-build:	apply-slist
-	@${SETENV} PATH=${LOCALBASE}/bin:$${PATH} \
+	@${SETENV} PATH=${LOCALBASE}/bin:$${PATH} WITH_NODUPS=${NODUPS_CONFIGURE_ON} \
 		${PERL} ${WRKDIR}/${BUNDLE_PROCESSOR} \
 	    < ${WRKDIR}/certdata.txt > \
 	    ${WRKDIR}/ca-root-nss.crt
--- files/MAca-bundle.pl.in.orig	2013-08-29 03:10:09.000000000 -0500
+++ files/MAca-bundle.pl.in	2017-07-10 07:53:10.832454000 -0500
@@ -54,6 +54,10 @@
 $debug++
     if defined $ENV{'WITH_DEBUG'}
 	and $ENV{'WITH_DEBUG'} !~ m/(?i)^(no|0|false|)$/;
+my $dups = 1;
+$dups = 0
+    if defined $ENV{'WITH_NODUPS'}
+	and $ENV{'WITH_NODUPS'} !~ m/(?i)^(no|0|false|)$/;
 
 my %certs;
 my %trusts;
@@ -201,18 +205,29 @@
     }
 }
 
-print		"##  Untrusted certificates omitted from this bundle: $untrusted\n\n";
+print		"##  Untrusted certificates omitted from this bundle: $untrusted\n";
 print STDERR	"##  Untrusted certificates omitted from this bundle: $untrusted\n";
+print		"##  Ignoring duplicate certificates\n\n" if ( ! $dups );
+print STDERR	"##  Ignoring duplicate certificates\n\n" if ( ! $dups );
 
 my $certcount = 0;
-foreach my $it (sort {uc($a) cmp uc($b)} keys %certs) {
+my (%seensubjects);
+foreach my $it (sort {
+    my ($a1,$a2) = split("\0", $a);
+    my ($b1,$b2) = split("\0", $b);
+    uc($a1) cmp uc($b1) and $b2 == $a2
+} keys %certs) {
     if (!exists($trusts{$it})) {
 	die "Found certificate without trust block,\naborting";
     }
-    printcert("", $certs{$it});
-    print "\n\n\n";
-    $certcount++;
-    print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug;
+    my ($subject, $serial) = split("\0", $it);
+    if ( $dups == 1 or ! exists $seensubjects{$subject} ) {
+        $seensubjects{$subject} = 1;
+        printcert("", $certs{$it});
+        print "\n\n\n";
+        $certcount++;
+        print STDERR "Trusting $certcount: ".printlabel($it)."\n" if $debug;
+    }
 }
 
 if ($certcount < 25) {