diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index 41d2cecf464..0edef6ce984 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -59,28 +59,50 @@ do_hash()
 	fi
 }
 
+get_serial()
+{
+	local checkdir hash serial
+
+	checkdir=$1
+	hash=$2
+	serial=0
+
+	while [ -e "$CERTDESTDIR/$hash.$serial" ]; do
+		serial=$((serial + 1))
+	done
+
+	echo ${serial}
+	return 0
+}
+
 create_trusted_link()
 {
 	local hash
+	local serial
 
 	hash=$( do_hash "$1" ) || return
+	# XXX Should look at $hash.[0-9] and compare
 	if [ -e "$BLACKLISTDESTDIR/$hash.0" ]; then
 		echo "Skipping blacklisted certificate $1 ($BLACKLISTDESTDIR/$hash.0)"
 		return 1
 	fi
-	[ $VERBOSE -gt 0 ] && echo "Adding $hash.0 to trust store"
-	[ $NOOP -eq 0 ] && install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.0"
+	serial=$(get_serial "$CERTDESTDIR" "$hash")
+	[ $VERBOSE -gt 0 ] && echo "Adding $hash.$serial to trust store"
+	[ $NOOP -eq 0 ] && \
+		install -lrs $(realpath "$1") "$CERTDESTDIR/$hash.$serial"
 }
 
 create_blacklisted()
 {
 	local hash srcfile filename
+	local serial
 
 	# If it exists as a file, we'll try that; otherwise, we'll scan
 	if [ -e "$1" ]; then
 		hash=$( do_hash "$1" ) || return
 		srcfile=$(realpath "$1")
-		filename="$hash.0"
+		serial=$(get_serial "$CERTDESTDIR" "$hash")
+		filename="$hash.$serial"
 	elif [ -e "${CERTDESTDIR}/$1" ];  then
 		srcfile=$(realpath "${CERTDESTDIR}/$1")
 		filename="$1"
@@ -183,6 +205,7 @@ cmd_unblacklist()
 	for BFILE in "$@"; do
 		if [ -s "$BFILE" ]; then
 			hash=$( do_hash "$BFILE" )
+			# XXX .0?
 			echo "Removing $hash.0 from blacklist"
 			[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$hash.0"
 		elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then