diff --git a/ca-certificates.changes b/ca-certificates.changes
index e59455f..75e2aed 100644
--- a/ca-certificates.changes
+++ b/ca-certificates.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Aug  4 15:35:27 UTC 2014 - lnussel@suse.de
+
+- add p11 kit header to set label of migrated certificates to the
+  file name of the previous one (bnc#890205)
+
 -------------------------------------------------------------------
 Wed Jul 30 11:45:54 UTC 2014 - lnussel@suse.de
 
diff --git a/ca-certificates.spec b/ca-certificates.spec
index 395a5ca..cf78e85 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -99,7 +99,22 @@ if [ "$1" -ne 0 -a -d %{sslcerts} -a ! -L %{sslcerts} ]; then
 		read firstline < "$cert"
 		# skip package provided certificates (bnc#875647)
 		test "$firstline" != "# generated by openssl-certs, do not edit" || continue
-		cp -v -n "$cert" /etc/pki/trust/anchors/
+		# create a p11-kit header that set the label of
+		# the certificate to the file name. That ensures
+		# that the certificate gets the same name in
+		# /etc/ssl/certs as before
+		bn="${cert##*/}"
+		(
+		cat <<-EOF
+			# created by update-ca-certificates from
+			# /etc/ssl/certs/$bn
+			[p11-kit-object-v1]
+			class: certificate
+			label: "${bn%.pem}"
+			trusted: true
+		EOF
+		cat $cert
+		) > "/etc/pki/trust/$bn"
 	done
 fi