diff --git a/ca-certificates.changes b/ca-certificates.changes
index 7368000..a1bdbb3 100644
--- a/ca-certificates.changes
+++ b/ca-certificates.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Apr 27 14:17:24 UTC 2010 - lnussel@suse.de
+
+- also use hooks from /usr/lib/ca-certificates/update.d
+- replace bundle file with symlink to file in /var as it's auto
+  generated
+
 -------------------------------------------------------------------
 Wed Apr 21 13:20:07 UTC 2010 - lnussel@suse.de
 
diff --git a/ca-certificates.spec b/ca-certificates.spec
index cc975f0..62490c0 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -22,12 +22,12 @@ BuildRequires:  openssl
 Name:           ca-certificates
 %define ssletcdir %{_sysconfdir}/ssl
 %define etccadir  %{ssletcdir}/certs
-%define cabundle  %{ssletcdir}/ca-bundle.pem
+%define cabundle  /var/lib/ca-certificates/ca-bundle.pem
 %define usrcadir  %{_datadir}/ca-certificates
 License:        GPLv2+
 Group:          Productivity/Networking/Security
 Version:        1
-Release:        3
+Release:        4
 Summary:        Utilities for system wide CA certificate installation
 Source0:        update-ca-certificates
 Source1:        update-ca-certificates.8
@@ -61,15 +61,21 @@ mkdir -p %{buildroot}/%{usrcadir}
 mkdir -p %{buildroot}/%{_sbindir}
 mkdir -p %{buildroot}/%{_mandir}/man8
 mkdir -p %{buildroot}/etc/ca-certificates/update.d
-install -m 644 /dev/null %{buildroot}/%{cabundle}
+mkdir -p %{buildroot}%{_prefix}/lib/ca-certificates/update.d
+install -D -m 644 /dev/null %{buildroot}/%{cabundle}
 install -m 644 /dev/null %{buildroot}/etc/ca-certificates.conf
-# TODO: we should put our distros scripts in /usr really
-install -m 755 %{SOURCE3} %{buildroot}/etc/ca-certificates/update.d
+install -m 755 %{SOURCE3} %{buildroot}%{_prefix}/lib/ca-certificates/update.d
+ln -s %{cabundle} %{buildroot}%{ssletcdir}/ca-bundle.pem
 
 install -m 755 update-ca-certificates %{buildroot}/%{_sbindir}
 install -m 644 update-ca-certificates.8 %{buildroot}/%{_mandir}/man8
 
 %post
+# this is just needed for those updating Factory,
+# can be removed before 11.3
+if [ "$1" -ge 1 ]; then
+  rm -f /etc/ca-certificates/update.d/certbundle.run
+fi
 # force rebuilding all certificate stores.
 # This also makes sure we update the hash links in /etc/ssl/certs
 # as openssl changed the hash format between 0.9.8 and 1.0
@@ -84,10 +90,14 @@ rm -rf %{buildroot}
 %dir %{etccadir}
 %doc COPYING
 %ghost %config(noreplace) /etc/ca-certificates.conf
+%{ssletcdir}/ca-bundle.pem
 %ghost %{cabundle}
 %dir /etc/ca-certificates
 %dir /etc/ca-certificates/update.d
-/etc/ca-certificates/update.d/*
+%dir %{_prefix}/lib/ca-certificates
+%dir %{_prefix}/lib/ca-certificates/update.d
+%dir /var/lib/ca-certificates
+%{_prefix}/lib/ca-certificates/update.d/*
 %{_sbindir}/update-ca-certificates
 %{_mandir}/man8/update-ca-certificates.8*
 
diff --git a/certbundle.run b/certbundle.run
index df59aae..0dd892d 100644
--- a/certbundle.run
+++ b/certbundle.run
@@ -3,7 +3,7 @@
 
 shopt -s nullglob
 
-cafile="/etc/ssl/ca-bundle.pem"
+cafile="/var/lib/ca-certificates/ca-bundle.pem"
 cadir="/etc/ssl/certs"
 
 for i in "$@"; do
diff --git a/update-ca-certificates b/update-ca-certificates
index 463008e..2279c2a 100644
--- a/update-ca-certificates
+++ b/update-ca-certificates
@@ -30,7 +30,8 @@ use File::Find;
 use Getopt::Long;
 
 my $certsconf = '/etc/ca-certificates.conf';
-my $hooksdir = '/etc/ca-certificates/update.d';
+my $hooksdir1 = '/etc/ca-certificates/update.d';
+my $hooksdir2 = '/usr/lib/ca-certificates/update.d';
 my $certsdir = "/usr/share/ca-certificates";
 my $localcertsdir = "/usr/local/share/ca-certificates";
 my $etccertsdir = "/etc/ssl/certs";
@@ -167,7 +168,7 @@ if (%added || %removed || $opt_fresh) {
 	my @args;
 	push @args, '-f' if $opt_fresh;
 	push @args, '-v' if $opt_verbose;
-	for my $f (glob "$hooksdir/*.run") {
+	for my $f (glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run")) {
 		system($f, @args);
 	}
 }
diff --git a/update-ca-certificates.8 b/update-ca-certificates.8
index 78a8d66..694eb6b 100644
--- a/update-ca-certificates.8
+++ b/update-ca-certificates.8
@@ -2,7 +2,7 @@
 .\" First parameter, NAME, should be all caps
 .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection
 .\" other parameters are allowed: see man(7), man(1)
-.TH UPDATE-CA-CERTIFICATES 8 "08 April 2010"
+.TH UPDATE-CA-CERTIFICATES 8 "27 April 2010"
 .\" Please adjust this date whenever revising the manpage.
 .\"
 .\" Some roff macros, for reference:
@@ -16,7 +16,7 @@
 .\" .sp <n>    insert n+1 empty lines
 .\" for manpage-specific macros, see man(7)
 .SH NAME
-update-ca-certificates \- update /etc/ssl/certs and ca-bundle.pem
+update-ca-certificates \- update system CA certificates
 .SH SYNOPSIS
 .B update-ca-certificates
 .RI [ options ]
@@ -35,8 +35,8 @@ trusted if no trusted certificates are listed.
 Furthermore all certificates found below /usr/local/share/ca-certificates
 are also included as implicitly trusted.
 .PP
-After populating /etc/ssl/certs and creating /etc/ssl/ca-bundle.pem
-\fBupdate-ca-certificates\fP invokes custom hooks in
+After populating /etc/ssl/certs \fBupdate-ca-certificates\fP invokes
+custom hooks in /usr/lib/ca-certificates/update.d/*.run and
 /etc/ca-certificates/update.d/*.run. The command line options used
 for invoking update-ca-certificates are passed to the hooks as well.
 .SH OPTIONS