diff --git a/ca-certificates.changes b/ca-certificates.changes
index 75e2aed..9dbc909 100644
--- a/ca-certificates.changes
+++ b/ca-certificates.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Aug  5 11:09:24 UTC 2014 - lnussel@suse.de
+
+- use rpm -qf to determine if a ssl cert is owned by some other
+  package and therefore doesn't need to be migrated (related to
+  bnc#890205).
+
 -------------------------------------------------------------------
 Mon Aug  4 15:35:27 UTC 2014 - lnussel@suse.de
 
diff --git a/ca-certificates.spec b/ca-certificates.spec
index cf78e85..b26878b 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -91,14 +91,15 @@ mv %{buildroot}/%{_prefix}/lib/ca-certificates/update.d/{,99}certbundle.run
 %pre
 # migrate /etc/ssl/certs to a symlink
 if [ "$1" -ne 0 -a -d %{sslcerts} -a ! -L %{sslcerts} ]; then
-	mv -T --backup=numbered %{sslcerts} %{sslcerts}.rpmsave && ln -s /var/lib/ca-certificates/pem %{sslcerts}
 	# copy custom pem files to new location (bnc#875647)
 	mkdir -p /etc/pki/trust/anchors
-	for cert in %{sslcerts}.rpmsave/*.pem; do
+	for cert in %{sslcerts}/*.pem; do
 		test -f "$cert" -a ! -L "$cert" || continue
 		read firstline < "$cert"
 		# skip package provided certificates (bnc#875647)
-		test "$firstline" != "# generated by openssl-certs, do not edit" || continue
+		if test "${firstline#\# generated by }" != "${firstline}" || rpm -qf "$cert" > /dev/null; then
+			continue
+		fi
 		# create a p11-kit header that set the label of
 		# the certificate to the file name. That ensures
 		# that the certificate gets the same name in
@@ -107,7 +108,7 @@ if [ "$1" -ne 0 -a -d %{sslcerts} -a ! -L %{sslcerts} ]; then
 		(
 		cat <<-EOF
 			# created by update-ca-certificates from
-			# /etc/ssl/certs/$bn
+			# $cert
 			[p11-kit-object-v1]
 			class: certificate
 			label: "${bn%.pem}"
@@ -116,6 +117,7 @@ if [ "$1" -ne 0 -a -d %{sslcerts} -a ! -L %{sslcerts} ]; then
 		cat $cert
 		) > "/etc/pki/trust/$bn"
 	done
+	mv -T --backup=numbered %{sslcerts} %{sslcerts}.rpmsave && ln -s /var/lib/ca-certificates/pem %{sslcerts}
 fi
 
 %post