47 files changed, 120 insertions, 74 deletions

diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc
index 3802307d7761..468d967efdcc 100644
--- a/ObsoleteFiles.inc
+++ b/ObsoleteFiles.inc
@@ -44,6 +44,44 @@
 OLD_FILES+=usr/share/man/man9/crypto_cursor_segbase.9.gz
 OLD_FILES+=usr/share/man/man9/crypto_cursor_seglen.9.gz
 
+# 20210618: rename of usr/share/certs/blacklisted
+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_External_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/AddTrust_Low-Value_Services_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Camerfirma_Global_Chambersign_Root.pem
+OLD_FILES+=usr/share/certs/blacklisted/Certum_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
+OLD_FILES+=usr/share/certs/blacklisted/D-TRUST_Root_CA_3_2013.pem
+OLD_FILES+=usr/share/certs/blacklisted/EC-ACC.pem
+OLD_FILES+=usr/share/certs/blacklisted/EE_Certification_Centre_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Global_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Primary_Certification_Authority.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA_2.pem
+OLD_FILES+=usr/share/certs/blacklisted/GeoTrust_Universal_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Global_Chambersign_Root_-_2008.pem
+OLD_FILES+=usr/share/certs/blacklisted/LuxTrust_Global_Root_2.pem
+OLD_FILES+=usr/share/certs/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/SwissSign_Platinum_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
+OLD_FILES+=usr/share/certs/blacklisted/Taiwan_GRCA.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G2.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/thawte_Primary_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Trustis_FPS_Root_CA.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
+OLD_FILES+=usr/share/certs/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
+OLD_DIRS+=usr/share/certs/blacklisted
 # 20210613: new clang import which bumps version from 11.0.1 to 12.0.0.
 OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/algorithm
 OLD_FILES+=usr/lib/clang/11.0.1/include/cuda_wrappers/complex
diff --git a/UPDATING b/UPDATING
index 8b4d4a4820f6..61c428bf1af0 100644
--- a/UPDATING
+++ b/UPDATING
@@ -27,6 +27,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 14.x IS SLOW:
 	world, or to merely disable the most expensive debugging functionality
 	at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+202106xx:
+	The directory "blacklisted" under /usr/share/certs/ has been
+	renamed to "untrusted".
+
 20210611:
 	svnlite has been removed from base. Should you need svn for any reason
 	please install the svn package or port.
diff --git a/etc/mtree/BSD.usr.dist b/etc/mtree/BSD.usr.dist
index a4a247b7eefd..2bdb65f7b2ab 100644
--- a/etc/mtree/BSD.usr.dist
+++ b/etc/mtree/BSD.usr.dist
@@ -205,10 +205,10 @@
             ..
         ..
         certs
-            blacklisted tags=package=caroot
-            ..
             trusted tags=package=caroot
             ..
+            untrusted tags=package=caroot
+            ..
         ..
         dict
         ..
diff --git a/secure/caroot/Makefile b/secure/caroot/Makefile
index 50f92ecc6542..c685c5f6cc7a 100644
--- a/secure/caroot/Makefile
+++ b/secure/caroot/Makefile
@@ -3,7 +3,7 @@
 CLEANFILES+=	certdata.txt
 
 SUBDIR+=	trusted
-SUBDIR+=	blacklisted
+SUBDIR+=	untrusted
 
 .include <bsd.obj.mk>
 
diff --git a/secure/caroot/README b/secure/caroot/README
index 9a4fc0320e2a..1e123080559e 100644
--- a/secure/caroot/README
+++ b/secure/caroot/README
@@ -14,8 +14,8 @@ It will:
 
 Then the results should manually be inspected (svn status)
 	1) Any no-longer-trusted certificates should be moved to the
-	blacklisted directory (svn mv)
-	2) any newly added certificates will need to be added (svn add)
+	untrusted directory (git mv)
+	2) any newly added certificates will need to be added (git add)
 
 
 The following make targets exist:
diff --git a/secure/caroot/blacklisted/Makefile b/secure/caroot/blacklisted/Makefile
deleted file mode 100644
index b7ccfbe88c03..000000000000
--- a/secure/caroot/blacklisted/Makefile
+++ /dev/null
@@ -1,9 +0,0 @@
-# $FreeBSD$
-
-BINDIR=		/usr/share/certs/blacklisted
-
-BLACKLISTED_CERTS!=	echo ${.CURDIR}/*.pem 2> /dev/null || true
-
-FILES+=	 ${BLACKLISTED_CERTS}
-
-.include <bsd.prog.mk>
diff --git a/secure/caroot/blacklisted/AddTrust_External_Root.pem b/secure/caroot/untrusted/AddTrust_External_Root.pem
index 701bc7bce072..701bc7bce072 100644
--- a/secure/caroot/blacklisted/AddTrust_External_Root.pem
+++ b/secure/caroot/untrusted/AddTrust_External_Root.pem
diff --git a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem b/secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem
index 0595db909a49..0595db909a49 100644
--- a/secure/caroot/blacklisted/AddTrust_Low-Value_Services_Root.pem
+++ b/secure/caroot/untrusted/AddTrust_Low-Value_Services_Root.pem
diff --git a/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem b/secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem
index cf7de6cc122b..cf7de6cc122b 100644
--- a/secure/caroot/blacklisted/Camerfirma_Chambers_of_Commerce_Root.pem
+++ b/secure/caroot/untrusted/Camerfirma_Chambers_of_Commerce_Root.pem
diff --git a/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem b/secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem
index b1fa96bc405e..b1fa96bc405e 100644
--- a/secure/caroot/blacklisted/Camerfirma_Global_Chambersign_Root.pem
+++ b/secure/caroot/untrusted/Camerfirma_Global_Chambersign_Root.pem
diff --git a/secure/caroot/blacklisted/Certum_Root_CA.pem b/secure/caroot/untrusted/Certum_Root_CA.pem
index f815c49ddae0..f815c49ddae0 100644
--- a/secure/caroot/blacklisted/Certum_Root_CA.pem
+++ b/secure/caroot/untrusted/Certum_Root_CA.pem
diff --git a/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem b/secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem
index 1e3864180a66..1e3864180a66 100644
--- a/secure/caroot/blacklisted/Chambers_of_Commerce_Root_-_2008.pem
+++ b/secure/caroot/untrusted/Chambers_of_Commerce_Root_-_2008.pem
diff --git a/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem b/secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem
index debf7b30c2ef..debf7b30c2ef 100644
--- a/secure/caroot/blacklisted/D-TRUST_Root_CA_3_2013.pem
+++ b/secure/caroot/untrusted/D-TRUST_Root_CA_3_2013.pem
diff --git a/secure/caroot/blacklisted/EC-ACC.pem b/secure/caroot/untrusted/EC-ACC.pem
index a4b43b39414b..a4b43b39414b 100644
--- a/secure/caroot/blacklisted/EC-ACC.pem
+++ b/secure/caroot/untrusted/EC-ACC.pem
diff --git a/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem b/secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem
index 2fa258f19ee8..2fa258f19ee8 100644
--- a/secure/caroot/blacklisted/EE_Certification_Centre_Root_CA.pem
+++ b/secure/caroot/untrusted/EE_Certification_Centre_Root_CA.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Global_CA.pem b/secure/caroot/untrusted/GeoTrust_Global_CA.pem
index 49934ff8c673..49934ff8c673 100644
--- a/secure/caroot/blacklisted/GeoTrust_Global_CA.pem
+++ b/secure/caroot/untrusted/GeoTrust_Global_CA.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem
index 91907ba216f0..91907ba216f0 100644
--- a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority.pem
+++ b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
index b03758a63c98..b03758a63c98 100644
--- a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G2.pem
+++ b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G2.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
index 2d127e574a0e..2d127e574a0e 100644
--- a/secure/caroot/blacklisted/GeoTrust_Primary_Certification_Authority_-_G3.pem
+++ b/secure/caroot/untrusted/GeoTrust_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA.pem
index 021d3dd07b38..021d3dd07b38 100644
--- a/secure/caroot/blacklisted/GeoTrust_Universal_CA.pem
+++ b/secure/caroot/untrusted/GeoTrust_Universal_CA.pem
diff --git a/secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem b/secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem
index 3ad5dfa8a1ac..3ad5dfa8a1ac 100644
--- a/secure/caroot/blacklisted/GeoTrust_Universal_CA_2.pem
+++ b/secure/caroot/untrusted/GeoTrust_Universal_CA_2.pem
diff --git a/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem b/secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem
index cd9bebaf8c0f..cd9bebaf8c0f 100644
--- a/secure/caroot/blacklisted/Global_Chambersign_Root_-_2008.pem
+++ b/secure/caroot/untrusted/Global_Chambersign_Root_-_2008.pem
diff --git a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem b/secure/caroot/untrusted/LuxTrust_Global_Root_2.pem
index 9b1aa35e7037..9b1aa35e7037 100644
--- a/secure/caroot/blacklisted/LuxTrust_Global_Root_2.pem
+++ b/secure/caroot/untrusted/LuxTrust_Global_Root_2.pem
diff --git a/secure/caroot/untrusted/Makefile b/secure/caroot/untrusted/Makefile
new file mode 100644
index 000000000000..e988841071d2
--- /dev/null
+++ b/secure/caroot/untrusted/Makefile
@@ -0,0 +1,9 @@
+# $FreeBSD$
+
+BINDIR=		/usr/share/certs/untrusted
+
+UNTRUSTED_CERTS!=	echo ${.CURDIR}/*.pem 2> /dev/null || true
+
+FILES+=	 ${UNTRUSTED_CERTS}
+
+.include <bsd.prog.mk>
diff --git a/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem b/secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem
index 08ea553a9e80..08ea553a9e80 100644
--- a/secure/caroot/blacklisted/OISTE_WISeKey_Global_Root_GA_CA.pem
+++ b/secure/caroot/untrusted/OISTE_WISeKey_Global_Root_GA_CA.pem
diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
index 2f36eaed33af..2f36eaed33af 100644
--- a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G2.pem
+++ b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G2.pem
diff --git a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
index 14a79c4c3e24..14a79c4c3e24 100644
--- a/secure/caroot/blacklisted/Staat_der_Nederlanden_Root_CA_-_G3.pem
+++ b/secure/caroot/untrusted/Staat_der_Nederlanden_Root_CA_-_G3.pem
diff --git a/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem b/secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem
index f4678f629684..f4678f629684 100644
--- a/secure/caroot/blacklisted/SwissSign_Platinum_CA_-_G2.pem
+++ b/secure/caroot/untrusted/SwissSign_Platinum_CA_-_G2.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
index ffac924e93ac..ffac924e93ac 100644
--- a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
+++ b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G4.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
index 019c97a13d34..019c97a13d34 100644
--- a/secure/caroot/blacklisted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
+++ b/secure/caroot/untrusted/Symantec_Class_1_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
index 97c6caf2b862..97c6caf2b862 100644
--- a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
+++ b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G4.pem
diff --git a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
index df9468c1249e..df9468c1249e 100644
--- a/secure/caroot/blacklisted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
+++ b/secure/caroot/untrusted/Symantec_Class_2_Public_Primary_Certification_Authority_-_G6.pem
diff --git a/secure/caroot/blacklisted/Taiwan_GRCA.pem b/secure/caroot/untrusted/Taiwan_GRCA.pem
index 1d7bf6ad8ce9..1d7bf6ad8ce9 100644
--- a/secure/caroot/blacklisted/Taiwan_GRCA.pem
+++ b/secure/caroot/untrusted/Taiwan_GRCA.pem
diff --git a/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem b/secure/caroot/untrusted/Trustis_FPS_Root_CA.pem
index 476ba64dfd63..476ba64dfd63 100644
--- a/secure/caroot/blacklisted/Trustis_FPS_Root_CA.pem
+++ b/secure/caroot/untrusted/Trustis_FPS_Root_CA.pem
diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
index cd10cc02f295..cd10cc02f295 100644
--- a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
+++ b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.pem
diff --git a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
index 75bf34ee90f2..75bf34ee90f2 100644
--- a/secure/caroot/blacklisted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
+++ b/secure/caroot/untrusted/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.pem
diff --git a/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem b/secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem
index 353f709ad531..353f709ad531 100644
--- a/secure/caroot/blacklisted/VeriSign_Universal_Root_Certification_Authority.pem
+++ b/secure/caroot/untrusted/VeriSign_Universal_Root_Certification_Authority.pem
diff --git a/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
index d060de75b329..d060de75b329 100644
--- a/secure/caroot/blacklisted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
+++ b/secure/caroot/untrusted/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
index 89400caf7eb6..89400caf7eb6 100644
--- a/secure/caroot/blacklisted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
+++ b/secure/caroot/untrusted/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem b/secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
index 823fcd0b4e9d..823fcd0b4e9d 100644
--- a/secure/caroot/blacklisted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
+++ b/secure/caroot/untrusted/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.pem
diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA.pem
index 087274ba4c19..087274ba4c19 100644
--- a/secure/caroot/blacklisted/thawte_Primary_Root_CA.pem
+++ b/secure/caroot/untrusted/thawte_Primary_Root_CA.pem
diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem
index 0abe25c5f88c..0abe25c5f88c 100644
--- a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G2.pem
+++ b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G2.pem
diff --git a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem
index c877ca070321..c877ca070321 100644
--- a/secure/caroot/blacklisted/thawte_Primary_Root_CA_-_G3.pem
+++ b/secure/caroot/untrusted/thawte_Primary_Root_CA_-_G3.pem
diff --git a/usr.sbin/certctl/certctl.8 b/usr.sbin/certctl/certctl.8
index 8ca2cd37dee5..9af2adaba757 100644
--- a/usr.sbin/certctl/certctl.8
+++ b/usr.sbin/certctl/certctl.8
@@ -26,19 +26,19 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd January 7, 2021
+.Dd June 18, 2021
 .Dt CERTCTL 8
 .Os
 .Sh NAME
 .Nm certctl
-.Nd "tool for managing trusted and blacklist TLS certificates"
+.Nd "tool for managing trusted and untrusted TLS certificates"
 .Sh SYNOPSIS
 .Nm
 .Op Fl v
 .Ic list
 .Nm
 .Op Fl v
-.Ic blacklisted
+.Ic untrusted
 .Nm
 .Op Fl nUv
 .Op Fl D Ar destdir
@@ -46,10 +46,10 @@
 .Ic rehash
 .Nm
 .Op Fl nv
-.Ic blacklist Ar file
+.Ic untrust Ar file
 .Nm
 .Op Fl nv
-.Ic unblacklist Ar file
+.Ic trust Ar file
 .Sh DESCRIPTION
 The
 .Nm
@@ -72,28 +72,28 @@ Do record the ownership in the METALOG file.
 .El
 .Pp
 Primary command functions:
-.Bl -tag -width blacklisted
+.Bl -tag -width untrusted
 .It Ic list
 List all currently trusted certificate authorities.
-.It Ic blacklisted
-List all currently blacklisted certificates.
+.It Ic untrusted
+List all currently untrusted certificates.
 .It Ic rehash
 Rebuild the list of trusted certificate authorities by scanning all directories
 in
 .Ev TRUSTPATH
-and all blacklisted certificates in
-.Ev BLACKLISTPATH .
+and all untrusted certificates in
+.Ev UNTRUSTPATH .
 A symbolic link to each trusted certificate is placed in
 .Ev CERTDESTDIR
-and each blacklisted certificate in
-.Ev BLACKLISTDESTDIR .
-.It Ic blacklist
-Add the specified file to the blacklist.
-.It Ic unblacklist
-Remove the specified file from the blacklist.
+and each untrusted certificate in
+.Ev UNTRUSTDESTDIR .
+.It Ic untrust
+Add the specified file to the untrusted list.
+.It Ic trust
+Remove the specified file from the untrusted list.
 .El
 .Sh ENVIRONMENT
-.Bl -tag -width BLACKLISTDESTDIR
+.Bl -tag -width UNTRUSTDESTDIR
 .It Ev DESTDIR
 Alternate destination directory to operate on.
 .It Ev TRUSTPATH
@@ -101,19 +101,20 @@ List of paths to search for trusted certificates.
 Default:
 .Pa <DESTDIR>/usr/share/certs/trusted
 .Pa <DESTDIR>/usr/local/share/certs <DESTDIR>/usr/local/etc/ssl/certs
-.It Ev BLACKLISTPATH
-List of paths to search for blacklisted certificates.
+.It Ev UNTRUSTPATH
+List of paths to search for untrusted certificates.
 Default:
-.Pa <DESTDIR>/usr/share/certs/blacklisted
+.Pa <DESTDIR>/usr/share/certs/untrusted
+.Pa <DESTDIR>/usr/local/etc/ssl/untrusted
 .Pa <DESTDIR>/usr/local/etc/ssl/blacklisted
 .It Ev CERTDESTDIR
 Destination directory for symbolic links to trusted certificates.
 Default:
 .Pa <DESTDIR>/etc/ssl/certs
-.It Ev BLACKLISTDESTDIR
-Destination directory for symbolic links to blacklisted certificates.
+.It Ev UNTRUSTDESTDIR
+Destination directory for symbolic links to untrusted certificates.
 Default:
-.Pa <DESTDIR>/etc/ssl/blacklisted
+.Pa <DESTDIR>/etc/ssl/untrusted
 .It Ev EXTENSIONS
 List of file extensions to read as certificate files.
 Default: *.pem *.crt *.cer *.crl *.0
diff --git a/usr.sbin/certctl/certctl.sh b/usr.sbin/certctl/certctl.sh
index 1a491cf3a047..327eaa6381a6 100755
--- a/usr.sbin/certctl/certctl.sh
+++ b/usr.sbin/certctl/certctl.sh
@@ -79,10 +79,10 @@ create_trusted_link()
 
 	hash=$( do_hash "$1" ) || return
 	certhash=$( openssl x509 -sha1 -in "$1" -noout -fingerprint )
-	for blistfile in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
+	for blistfile in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
 		blisthash=$( openssl x509 -sha1 -in "$blistfile" -noout -fingerprint )
 		if [ "$certhash" = "$blisthash" ]; then
-			echo "Skipping blacklisted certificate $1 ($blistfile)"
+			echo "Skipping untrusted certificate $1 ($blistfile)"
 			return 1
 		fi
 	done
@@ -102,19 +102,19 @@ resolve_certname()
 	if [ -e "$1" ]; then
 		hash=$( do_hash "$1" ) || return
 		srcfile=$(realpath "$1")
-		suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
+		suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
 		filename="$hash.$suffix"
 		echo "$srcfile" "$hash.$suffix"
 	elif [ -e "${CERTDESTDIR}/$1" ];  then
 		srcfile=$(realpath "${CERTDESTDIR}/$1")
 		hash=$(echo "$1" | sed -Ee 's/\.([0-9])+$//')
-		suffix=$(get_decimal "$BLACKLISTDESTDIR" "$hash")
+		suffix=$(get_decimal "$UNTRUSTDESTDIR" "$hash")
 		filename="$hash.$suffix"
 		echo "$srcfile" "$hash.$suffix"
 	fi
 }
 
-create_blacklisted()
+create_untrusted()
 {
 	local srcfile filename
 
@@ -126,8 +126,8 @@ create_blacklisted()
 		return
 	fi
 
-	[ $VERBOSE -gt 0 ] && echo "Adding $filename to blacklist"
-	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$BLACKLISTDESTDIR/$filename"
+	[ $VERBOSE -gt 0 ] && echo "Adding $filename to untrusted list"
+	[ $NOOP -eq 0 ] && install ${INSTALLFLAGS} -lrs "$srcfile" "$UNTRUSTDESTDIR/$filename"
 }
 
 do_scan()
@@ -185,14 +185,14 @@ cmd_rehash()
 		else
 			mkdir -p "$CERTDESTDIR"
 		fi
-		if [ -e "$BLACKLISTDESTDIR" ]; then
-			find "$BLACKLISTDESTDIR" -type link -delete
+		if [ -e "$UNTRUSTDESTDIR" ]; then
+			find "$UNTRUSTDESTDIR" -type link -delete
 		else
-			mkdir -p "$BLACKLISTDESTDIR"
+			mkdir -p "$UNTRUSTDESTDIR"
 		fi
 	fi
 
-	do_scan create_blacklisted "$BLACKLISTPATH"
+	do_scan create_untrusted "$UNTRUSTPATH"
 	do_scan create_trusted_link "$TRUSTPATH"
 }
 
@@ -202,19 +202,19 @@ cmd_list()
 	do_list "$CERTDESTDIR"
 }
 
-cmd_blacklist()
+cmd_untrust()
 {
 	local BPATH
 
 	shift # verb
-	[ $NOOP -eq 0 ] && mkdir -p "$BLACKLISTDESTDIR"
+	[ $NOOP -eq 0 ] && mkdir -p "$UNTRUSTDESTDIR"
 	for BFILE in "$@"; do
-		echo "Adding $BFILE to blacklist"
-		create_blacklisted "$BFILE"
+		echo "Adding $BFILE to untrusted list"
+		create_untrusted "$BFILE"
 	done
 }
 
-cmd_unblacklist()
+cmd_trust()
 {
 	local BFILE blisthash certhash hash
 
@@ -223,16 +223,16 @@ cmd_unblacklist()
 		if [ -s "$BFILE" ]; then
 			hash=$( do_hash "$BFILE" )
 			certhash=$( openssl x509 -sha1 -in "$BFILE" -noout -fingerprint )
-			for BLISTEDFILE in $(find $BLACKLISTDESTDIR -name "$hash.*"); do
+			for BLISTEDFILE in $(find $UNTRUSTDESTDIR -name "$hash.*"); do
 				blisthash=$( openssl x509 -sha1 -in "$BLISTEDFILE" -noout -fingerprint )
 				if [ "$certhash" = "$blisthash" ]; then
-					echo "Removing $(basename "$BLISTEDFILE") from blacklist"
+					echo "Removing $(basename "$BLISTEDFILE") from untrusted list"
 					[ $NOOP -eq 0 ] && rm -f $BLISTEDFILE
 				fi
 			done
-		elif [ -e "$BLACKLISTDESTDIR/$BFILE" ]; then
-			echo "Removing $BFILE from blacklist"
-			[ $NOOP -eq 0 ] && rm -f "$BLACKLISTDESTDIR/$BFILE"
+		elif [ -e "$UNTRUSTDESTDIR/$BFILE" ]; then
+			echo "Removing $BFILE from untrusted list"
+			[ $NOOP -eq 0 ] && rm -f "$UNTRUSTDESTDIR/$BFILE"
 		else
 			echo "Cannot find $BFILE" >&2
 			ERRORS=$(( $ERRORS + 1 ))
@@ -240,10 +240,10 @@ cmd_unblacklist()
 	done
 }
 
-cmd_blacklisted()
+cmd_untrusted()
 {
-	echo "Listing Blacklisted Certificates:"
-	do_list "$BLACKLISTDESTDIR"
+	echo "Listing Untrusted Certificates:"
+	do_list "$UNTRUSTDESTDIR"
 }
 
 usage()
@@ -252,14 +252,14 @@ usage()
 	echo "Manage the TLS trusted certificates on the system"
 	echo "	$SCRIPTNAME [-v] list"
 	echo "		List trusted certificates"
-	echo "	$SCRIPTNAME [-v] blacklisted"
-	echo "		List blacklisted certificates"
+	echo "	$SCRIPTNAME [-v] untrusted"
+	echo "		List untrusted certificates"
 	echo "	$SCRIPTNAME [-nUv] [-D <destdir>] [-M <metalog>] rehash"
 	echo "		Generate hash links for all certificates"
-	echo "	$SCRIPTNAME [-nv] blacklist <file>"
-	echo "		Add <file> to the list of blacklisted certificates"
-	echo "	$SCRIPTNAME [-nv] unblacklist <file>"
-	echo "		Remove <file> from the list of blacklisted certificates"
+	echo "	$SCRIPTNAME [-nv] untrust <file>"
+	echo "		Add <file> to the list of untrusted certificates"
+	echo "	$SCRIPTNAME [-nv] trust <file>"
+	echo "		Remove <file> from the list of untrusted certificates"
 	exit 64
 }
 
@@ -281,17 +281,20 @@ INSTALLFLAGS=
 [ $UNPRIV -eq 1 ] && INSTALLFLAGS="-U -M ${METALOG} -D ${DESTDIR}"
 : ${LOCALBASE:=$(sysctl -n user.localbase)}
 : ${TRUSTPATH:=${DESTDIR}/usr/share/certs/trusted:${DESTDIR}${LOCALBASE}/share/certs:${DESTDIR}${LOCALBASE}/etc/ssl/certs}
-: ${BLACKLISTPATH:=${DESTDIR}/usr/share/certs/blacklisted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
+: ${UNTRUSTPATH:=${DESTDIR}/usr/share/certs/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/untrusted:${DESTDIR}${LOCALBASE}/etc/ssl/blacklisted}
 : ${CERTDESTDIR:=${DESTDIR}/etc/ssl/certs}
-: ${BLACKLISTDESTDIR:=${DESTDIR}/etc/ssl/blacklisted}
+: ${UNTRUSTDESTDIR:=${DESTDIR}/etc/ssl/untrusted}
 
 [ $# -gt 0 ] || usage
 case "$1" in
 list)		cmd_list ;;
 rehash)		cmd_rehash ;;
-blacklist)	cmd_blacklist "$@" ;;
-unblacklist)	cmd_unblacklist "$@" ;;
-blacklisted)	cmd_blacklisted ;;
+blacklist)	cmd_untrust "$@" ;;
+untrust)	cmd_untrust "$@" ;;
+trust)		cmd_trust "$@" ;;
+unblacklist)	cmd_trust "$@" ;;
+untrusted)	cmd_untrusted ;;
+blacklisted)	cmd_untrusted ;;
 *)		usage # NOTREACHED
 esac
 
diff --git a/usr.sbin/etcupdate/etcupdate.sh b/usr.sbin/etcupdate/etcupdate.sh
index acfc601b93af..162a44059e3e 100755
--- a/usr.sbin/etcupdate/etcupdate.sh
+++ b/usr.sbin/etcupdate/etcupdate.sh
@@ -600,7 +600,7 @@ post_install_file()
 				NEWALIAS_WARN=yes
 			fi
 			;;
-		/usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+		/usr/share/certs/trusted/* | /usr/share/certs/untrusted/*)
 			log "certctl rehash"
 			if [ -z "$dryrun" ]; then
 				env DESTDIR=${DESTDIR} certctl rehash >&3 2>&1
diff --git a/usr.sbin/mergemaster/mergemaster.sh b/usr.sbin/mergemaster/mergemaster.sh
index 7703e2856111..5b7a656c1cd9 100755
--- a/usr.sbin/mergemaster/mergemaster.sh
+++ b/usr.sbin/mergemaster/mergemaster.sh
@@ -884,7 +884,7 @@ mm_install () {
     /etc/mail/aliases)
       NEED_NEWALIASES=yes
       ;;
-    /usr/share/certs/trusted/* | /usr/share/certs/blacklisted/*)
+    /usr/share/certs/trusted/* | /usr/share/certs/untrusted/*)
       NEED_CERTCTL=yes
       ;;
     /etc/login.conf)