I did post a message into bug report number 537382 which was opened on
July 2009. I'm writing directly Debian QA Group because a new version of
ca-certificates was issued and the script which needs to be modified
remains the same as previous version, i.e. the bug persists.
Those report consists on the script which generates /etc/ssl/certs
symbolic links structure (update-ca-certificates).
As you know, /etc/ssl/certs/ca-certificates.crt is a bundle of all
certificates in one single file; this file must be skipped searching for
hashes of all certificates when "*.0" symlinks are created. Using the
script in its current state, first certificate appended into
ca-certificates.crt will match as the hash of ca-certificates.crt and
symbolic link will be created from the hash of that file
(brasil.gov.br.pem because is alphabetically the first) to
ca-certificates.crt leaving brasil.gov.br.pem without a symlink with its
I did supply a patch that may be used after some test by Debian.