diff --git a/gnutls-3.2.1-pkcs11.diff b/gnutls-3.2.1-pkcs11.diff
new file mode 100644
index 0000000..8b2d063
--- /dev/null
+++ b/gnutls-3.2.1-pkcs11.diff
@@ -0,0 +1,28 @@
+From 9008620a9c452fb33942f0f8ee03a44fdf277475 Mon Sep 17 00:00:00 2001
+From: Stef Walter <stefw@redhat.com>
+Date: Thu, 4 Jul 2013 16:15:03 +0200
+Subject: [PATCH] pkcs11: Use the correct attribute length for CKA_TRUSTED
+
+CKA_TRUSTED is a CK_BBOOL value in PKCS#11. Since object searches
+are done with the attribute byte values, we need to get the length
+exactly right.
+---
+ lib/pkcs11.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/pkcs11.c b/lib/pkcs11.c
+index 27ea3f4..3da3b92 100644
+--- a/lib/pkcs11.c
++++ b/lib/pkcs11.c
+@@ -2201,7 +2201,7 @@ find_objs (struct pkcs11_session_info* sinfo,
+   struct ck_attribute *attr;
+   ck_object_class_t class = (ck_object_class_t)-1;
+   ck_certificate_type_t type = (ck_certificate_type_t)-1;
+-  unsigned int trusted;
++  unsigned char trusted;
+   unsigned long category;
+   ck_rv_t rv;
+   ck_object_handle_t obj;
+-- 
+1.8.3.1
+
diff --git a/gnutls-implement-trust-store-dir.diff b/gnutls-implement-trust-store-dir.diff
deleted file mode 100644
index e7fb953..0000000
--- a/gnutls-implement-trust-store-dir.diff
+++ /dev/null
@@ -1,154 +0,0 @@
-Index: gnutls-3.2.1/configure.ac
-===================================================================
---- gnutls-3.2.1.orig/configure.ac
-+++ gnutls-3.2.1/configure.ac
-@@ -398,6 +398,25 @@ if test "$with_default_trust_store_file"
-   with_default_trust_store_file=""
- fi
- 
-+AC_ARG_WITH([default-trust-store-dir],
-+  [AS_HELP_STRING([--with-default-trust-store-dir=DIRECTORY],
-+    [use the given directory as default trust store])], with_default_trust_store_dir="$withval",
-+  [if test "$build" = "$host" ; then
-+  for i in \
-+    /etc/ssl/certs/
-+    do
-+    if test -e $i ; then
-+      with_default_trust_store_dir="$i"
-+      break
-+    fi
-+  done
-+  fi]
-+)
-+
-+if test "$with_default_trust_store_dir" = "no";then
-+  with_default_trust_store_dir=""
-+fi
-+
- AC_ARG_WITH([default-crl-file],
-   [AS_HELP_STRING([--with-default-crl-file=FILE],
-     [use the given CRL file as default])])
-@@ -407,6 +426,11 @@ if test "x$with_default_trust_store_file
-     ["$with_default_trust_store_file"], [use the given file default trust store])
- fi
- 
-+if test "x$with_default_trust_store_dir" != x; then
-+  AC_DEFINE_UNQUOTED([DEFAULT_TRUST_STORE_DIR],
-+    ["$with_default_trust_store_dir"], [use the given directory default trust store])
-+fi
-+
- if test "x$with_default_crl_file" != x; then
-   AC_DEFINE_UNQUOTED([DEFAULT_CRL_FILE],
-     ["$with_default_crl_file"], [use the given CRL file])
-@@ -683,6 +707,7 @@ AC_MSG_NOTICE([System files:
- 
-   Trust store pkcs:     $with_default_trust_store_pkcs11
-   Trust store file:     $with_default_trust_store_file
-+  Trust store dir:      $with_default_trust_store_dir
-   CRL file:             $with_default_crl_file
-   DNSSEC root key file: $unbound_root_key_file
- ])
-Index: gnutls-3.2.1/lib/system.c
-===================================================================
---- gnutls-3.2.1.orig/lib/system.c
-+++ gnutls-3.2.1/lib/system.c
-@@ -385,7 +385,45 @@ const char *home_dir = getenv ("HOME");
-   return 0;
- }
- 
--#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11))
-+/* Used by both Android code and by Linux TRUST_STORE_DIR /etc/ssl/certs code */
-+#if defined(DEFAULT_TRUST_STORE_DIR) || defined(ANDROID) || defined(__ANDROID__)
-+# include <dirent.h>
-+# include <unistd.h>
-+static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, 
-+	unsigned int tl_flags, unsigned int tl_vflags, unsigned type)
-+{
-+DIR * dirp;
-+struct dirent *d;
-+int ret;
-+int r = 0;
-+char path[GNUTLS_PATH_MAX];
-+
-+  dirp = opendir(dirname);
-+  if (dirp != NULL) 
-+    {
-+      do
-+        {
-+      	  d = readdir(dirp);
-+      	  if (d != NULL && d->d_type == DT_REG) 
-+      	    {
-+      	  	snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name);
-+
-+                ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags);
-+                if (ret >= 0)
-+                  r += ret;
-+      	    }
-+      	}
-+      while(d != NULL);
-+      closedir(dirp);
-+    }
-+    
-+  return r;
-+}
-+#endif
-+
-+
-+#if defined(DEFAULT_TRUST_STORE_FILE) || (defined(DEFAULT_TRUST_STORE_PKCS11) && defined(ENABLE_PKCS11)) || defined(DEFAULT_TRUST_STORE_DIR)
-+
- static
- int
- add_system_trust(gnutls_x509_trust_list_t list,
-@@ -413,6 +451,12 @@ add_system_trust(gnutls_x509_trust_list_
-     r += ret;
- # endif
- 
-+# ifdef DEFAULT_TRUST_STORE_DIR
-+  ret = load_dir_certs(DEFAULT_TRUST_STORE_DIR, list, tl_flags, tl_vflags, GNUTLS_X509_FMT_PEM);
-+  if (ret > 0)
-+    r += ret;
-+# endif
-+
-   return r;
- }
- #elif defined(_WIN32)
-@@ -466,39 +510,6 @@ int add_system_trust(gnutls_x509_trust_l
-   return r;
- }
- #elif defined(ANDROID) || defined(__ANDROID__)
--# include <dirent.h>
--# include <unistd.h>
--static int load_dir_certs(const char* dirname, gnutls_x509_trust_list_t list, 
--	unsigned int tl_flags, unsigned int tl_vflags, unsigned type)
--{
--DIR * dirp;
--struct dirent *d;
--int ret;
--int r = 0;
--char path[GNUTLS_PATH_MAX];
--
--  dirp = opendir(dirname);
--  if (dirp != NULL) 
--    {
--      do
--        {
--      	  d = readdir(dirp);
--      	  if (d != NULL && d->d_type == DT_REG) 
--      	    {
--      	  	snprintf(path, sizeof(path), "%s/%s", dirname, d->d_name);
--
--                ret = gnutls_x509_trust_list_add_trust_file(list, path, NULL, type, tl_flags, tl_vflags);
--                if (ret >= 0)
--                  r += ret;
--      	    }
--      	}
--      while(d != NULL);
--      closedir(dirp);
--    }
--    
--  return r;
--}
--
- static int load_revoked_certs(gnutls_x509_trust_list_t list, unsigned type)
- {
- DIR * dirp;
diff --git a/gnutls.changes b/gnutls.changes
index 542714d..a6c8165 100644
--- a/gnutls.changes
+++ b/gnutls.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jul  4 16:15:14 UTC 2013 - lnussel@suse.de
+
+- use pkcs11 interface to fetch the system's CA certificates
+  (fate#314991). Add patch gnutls-3.2.1-pkcs11.diff to fix doing
+  that, obsoletes gnutls-implement-trust-store-dir.diff.
+
 -------------------------------------------------------------------
 Thu Jun 27 13:44:12 UTC 2013 - meissner@suse.com
 
diff --git a/gnutls.spec b/gnutls.spec
index 533b35f..81eee78 100644
--- a/gnutls.spec
+++ b/gnutls.spec
@@ -32,8 +32,9 @@ Source0:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.x
 Source1:        ftp://ftp.gnutls.org/gcrypt/gnutls/v3.2/%{name}-%{version}.tar.xz.sig
 Source2:        %name.keyring
 Source3:        baselibs.conf
-# suse specific, add support for certificate directories -- lnussel/meissner
-Patch1:         gnutls-implement-trust-store-dir.diff
+# https://gitorious.org/gnutls/gnutls/commit/7613c3251430a212fe5d6001863045f20eca7563
+# PATCH-UPSTREAM lnussel@suse.de -- fix reading ca-certificates # via pkcs11 interface
+Patch1:         gnutls-3.2.1-pkcs11.diff
 
 Patch2:         automake-1.12.patch
 # PATCH-FIX-OPENSUSE gnutls-3.0.26-skip-test-fwrite.patch andreas.stieger@gmx.de -- skip a failing test
@@ -155,7 +156,7 @@ autoreconf -if
         --with-pic \
         --disable-rpath \
         --disable-silent-rules \
-	--with-default-trust-store-dir=/etc/ssl/certs \
+	--with-default-trust-store-pkcs11=pkcs11: \
 	--disable-ecdhe \
         --with-sysroot=/%{?_sysroot}
 %__make %{?_smp_mflags}