diff --git a/debian/NEWS b/debian/NEWS
index 19c6f38..004cc16 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,9 @@
+ca-certificates (20090701) unstable; urgency=low
+
+  * Readded Equifax Secure Global eBusiness CA.
+
+ -- Philipp Kern <pkern@debian.org>  Wed, 01 Jul 2009 14:47:02 +0200
+
 ca-certificates (20090624) unstable; urgency=low
 
   * This update eases the installation of local certification authorities
diff --git a/debian/changelog b/debian/changelog
index 46f792f..a4d8a5f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+ca-certificates (20090701) unstable; urgency=low
+
+  * Reactivated "Equifax Secure Global eBusiness CA".  (Closes: #534674)
+    Rationale: The rogue collision CA has its validity period in the past.
+    Thus it does not impose a risk upon us at the moment.
+  * Restrict search for local certificates to add on files ending with '.crt'.
+  * Canonicalize PEM names by applying the same set of substitions to
+    local and other certificates like the Mozilla certdata dumper does.
+
+ -- Philipp Kern <pkern@debian.org>  Wed, 01 Jul 2009 14:50:00 +0200
+
 ca-certificates (20090624) unstable; urgency=low
 
   * Allow local certificate installation.  All certificates found
diff --git a/debian/config b/debian/config
index dc97faa..afa7d29 100644
--- a/debian/config
+++ b/debian/config
@@ -5,7 +5,7 @@ set -e
 
 action="$1"
 cur_version="$2"
-this_version='20090624'
+this_version='20090701'
 pt_BR_fixed_version="20080616"
 
 if test -f /etc/ca-certificates.conf; then
@@ -28,7 +28,7 @@ CERTS_AVAILABLE=""
 CERTS_ENABLED=""
 
 # CERTS_LIST: certs that will be installed
-CERTS_LIST="mozilla/Entrust_Root_Certification_Authority.crt, mozilla/GeoTrust_Universal_CA.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt, mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/ValiCert_Class_2_VA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust.net_Secure_Server_CA.crt, mozilla/IPS_CLASEA3_root.crt, mozilla/thawte_Primary_Root_CA.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, mozilla/StartCom_Certification_Authority.crt, mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt, mozilla/QuoVadis_Root_CA_2.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/Comodo_Secure_Services_root.crt, mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, mozilla/NetLock_Qualified_=Class_QA=_Root.crt, mozilla/IPS_Servidores_root.crt, mozilla/AddTrust_Qualified_Certificates_Root.crt, mozilla/SwissSign_Platinum_CA_-_G2.crt, mozilla/Sonera_Class_1_Root_CA.crt, mozilla/IPS_Timestamping_root.crt, mozilla/XRamp_Global_CA_Root.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt, mozilla/RSA_Security_2048_v3.crt, mozilla/DigiNotar_Root_CA.crt, mozilla/Secure_Global_CA.crt, mozilla/RSA_Root_Certificate_1.crt, mozilla/QuoVadis_Root_CA_3.crt, mozilla/Verisign_Time_Stamping_Authority_CA.crt, mozilla/Starfield_Class_2_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt, mozilla/IPS_CLASE3_root.crt, mozilla/Visa_eCommerce_Root.crt, mozilla/Thawte_Personal_Freemail_CA.crt, mozilla/America_Online_Root_Certification_Authority_2.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt, mozilla/NetLock_Business_=Class_B=_Root.crt, mozilla/Firmaprofesional_Root_CA.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DST_ACES_CA_X6.crt, mozilla/COMODO_Certification_Authority.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Entrust.net_Global_Secure_Personal_CA.crt, mozilla/IPS_CLASE1_root.crt, mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt, mozilla/UTN_USERFirst_Hardware_Root_CA.crt, mozilla/RSA_Security_1024_v3.crt, mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, mozilla/Visa_International_Global_Root_2.crt, mozilla/Entrust.net_Global_Secure_Server_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/Equifax_Secure_eBusiness_CA_1.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/UTN-USER_First-Network_Applications.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt, mozilla/SecureTrust_CA.crt, mozilla/Swisscom_Root_CA_1.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt, mozilla/TDC_OCES_Root_CA.crt, mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Go_Daddy_Class_2_CA.crt, mozilla/Equifax_Secure_eBusiness_CA_2.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt, mozilla/Thawte_Premium_Server_CA.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/Camerfirma_Global_Chambersign_Root.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/Comodo_Trusted_Services_root.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/Taiwan_GRCA.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, mozilla/IPS_CLASEA1_root.crt, mozilla/beTRUSTed_Root_CA.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt, mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt, mozilla/Entrust.net_Secure_Personal_CA.crt, mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, mozilla/AddTrust_Low-Value_Services_Root.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, mozilla/Thawte_Personal_Premium_CA.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Certum_Root_CA.crt, mozilla/Wells_Fargo_Root_CA.crt, mozilla/IPS_Chained_CAs_root.crt, mozilla/StartCom_Ltd..crt, mozilla/GeoTrust_Primary_Certification_Authority.crt, mozilla/America_Online_Root_Certification_Authority_1.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt, mozilla/NetLock_Express_=Class_C=_Root.crt, mozilla/Thawte_Server_CA.crt, mozilla/Equifax_Secure_CA.crt, mozilla/NetLock_Notary_=Class_A=_Root.crt, mozilla/DST_Root_CA_X3.crt, mozilla/GTE_CyberTrust_Global_Root.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/Verisign_RSA_Secure_Server_CA.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt, mozilla/COMODO_ECC_Certification_Authority.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt, mozilla/GeoTrust_Global_CA_2.crt, mozilla/Thawte_Time_Stamping_CA.crt, mozilla/TDC_Internet_Root_CA.crt, mozilla/AddTrust_Public_Services_Root.crt, debconf.org/ca.crt, quovadis.bm/QuoVadis_Root_Certification_Authority.crt, spi-inc.org/spi-cacert-2008.crt, spi-inc.org/spi-ca-2003.crt, gouv.fr/cert_igca_dsa.crt, gouv.fr/cert_igca_rsa.crt, brasil.gov.br/brasil.gov.br.crt, cacert.org/root.crt, cacert.org/cacert.org.crt, cacert.org/class3.crt, telesec.de/deutsche-telekom-root-ca-2.crt, signet.pl/signet_ca3_pem.crt, signet.pl/signet_ca2_pem.crt, signet.pl/signet_pca2_pem.crt, signet.pl/signet_tsa1_pem.crt, signet.pl/signet_ca1_pem.crt, signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_rootca_pem.crt, signet.pl/signet_pca3_pem.crt, signet.pl/signet_ocspklasa3_pem.crt"
+CERTS_LIST="mozilla/Entrust_Root_Certification_Authority.crt, mozilla/GeoTrust_Universal_CA.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt, mozilla/TC_TrustCenter__Germany__Class_2_CA.crt, mozilla/SwissSign_Gold_CA_-_G2.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_2.crt, mozilla/GeoTrust_Universal_CA_2.crt, mozilla/ValiCert_Class_2_VA.crt, mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt, mozilla/Entrust.net_Secure_Server_CA.crt, mozilla/IPS_CLASEA3_root.crt, mozilla/thawte_Primary_Root_CA.crt, mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt, mozilla/StartCom_Certification_Authority.crt, mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt, mozilla/QuoVadis_Root_CA_2.crt, mozilla/Staat_der_Nederlanden_Root_CA.crt, mozilla/Baltimore_CyberTrust_Root.crt, mozilla/UTN_DATACorp_SGC_Root_CA.crt, mozilla/Comodo_Secure_Services_root.crt, mozilla/WellsSecure_Public_Root_Certificate_Authority.crt, mozilla/NetLock_Qualified_=Class_QA=_Root.crt, mozilla/IPS_Servidores_root.crt, mozilla/AddTrust_Qualified_Certificates_Root.crt, mozilla/SwissSign_Platinum_CA_-_G2.crt, mozilla/Sonera_Class_1_Root_CA.crt, mozilla/IPS_Timestamping_root.crt, mozilla/XRamp_Global_CA_Root.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_4.crt, mozilla/RSA_Security_2048_v3.crt, mozilla/DigiNotar_Root_CA.crt, mozilla/Secure_Global_CA.crt, mozilla/RSA_Root_Certificate_1.crt, mozilla/QuoVadis_Root_CA_3.crt, mozilla/Verisign_Time_Stamping_Authority_CA.crt, mozilla/Starfield_Class_2_CA.crt, mozilla/GlobalSign_Root_CA_-_R2.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_2.crt, mozilla/IPS_CLASE3_root.crt, mozilla/Visa_eCommerce_Root.crt, mozilla/Thawte_Personal_Freemail_CA.crt, mozilla/America_Online_Root_Certification_Authority_2.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt, mozilla/beTRUSTed_Root_CA_-_Entrust_Implementation.crt, mozilla/NetLock_Business_=Class_B=_Root.crt, mozilla/Firmaprofesional_Root_CA.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt, mozilla/DigiCert_High_Assurance_EV_Root_CA.crt, mozilla/DST_ACES_CA_X6.crt, mozilla/COMODO_Certification_Authority.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Entrust.net_Global_Secure_Personal_CA.crt, mozilla/IPS_CLASE1_root.crt, mozilla/beTRUSTed_Root_CA-Baltimore_Implementation.crt, mozilla/UTN_USERFirst_Hardware_Root_CA.crt, mozilla/RSA_Security_1024_v3.crt, mozilla/Certplus_Class_2_Primary_CA.crt, mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt, mozilla/Visa_International_Global_Root_2.crt, mozilla/Entrust.net_Global_Secure_Server_CA.crt, mozilla/AddTrust_External_Root.crt, mozilla/Equifax_Secure_eBusiness_CA_1.crt, mozilla/DigiCert_Global_Root_CA.crt, mozilla/UTN-USER_First-Network_Applications.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt, mozilla/SecureTrust_CA.crt, mozilla/Swisscom_Root_CA_1.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority.crt, mozilla/TDC_OCES_Root_CA.crt, mozilla/beTRUSTed_Root_CA_-_RSA_Implementation.crt, mozilla/Security_Communication_Root_CA.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Camerfirma_Chambers_of_Commerce_Root.crt, mozilla/Comodo_AAA_Services_root.crt, mozilla/Thawte_Personal_Basic_CA.crt, mozilla/Go_Daddy_Class_2_CA.crt, mozilla/Equifax_Secure_eBusiness_CA_2.crt, mozilla/GlobalSign_Root_CA.crt, mozilla/AOL_Time_Warner_Root_Certification_Authority_1.crt, mozilla/Thawte_Premium_Server_CA.crt, mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt, mozilla/GTE_CyberTrust_Root_CA.crt, mozilla/Camerfirma_Global_Chambersign_Root.crt, mozilla/Sonera_Class_2_Root_CA.crt, mozilla/Comodo_Trusted_Services_root.crt, mozilla/QuoVadis_Root_CA.crt, mozilla/Taiwan_GRCA.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt, mozilla/IPS_CLASEA1_root.crt, mozilla/beTRUSTed_Root_CA.crt, mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt, mozilla/ABAecom_=sub.__Am._Bankers_Assn.=_Root_CA.crt, mozilla/Entrust.net_Secure_Personal_CA.crt, mozilla/Network_Solutions_Certificate_Authority.crt, mozilla/TC_TrustCenter__Germany__Class_3_CA.crt, mozilla/AddTrust_Low-Value_Services_Root.crt, mozilla/UTN_USERFirst_Email_Root_CA.crt, mozilla/Thawte_Personal_Premium_CA.crt, mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt, mozilla/Certum_Root_CA.crt, mozilla/Wells_Fargo_Root_CA.crt, mozilla/IPS_Chained_CAs_root.crt, mozilla/StartCom_Ltd..crt, mozilla/GeoTrust_Primary_Certification_Authority.crt, mozilla/America_Online_Root_Certification_Authority_1.crt, mozilla/SwissSign_Silver_CA_-_G2.crt, mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt, mozilla/NetLock_Express_=Class_C=_Root.crt, mozilla/Thawte_Server_CA.crt, mozilla/Equifax_Secure_CA.crt, mozilla/NetLock_Notary_=Class_A=_Root.crt, mozilla/DST_Root_CA_X3.crt, mozilla/GTE_CyberTrust_Global_Root.crt, mozilla/GeoTrust_Global_CA.crt, mozilla/Verisign_RSA_Secure_Server_CA.crt, mozilla/DigiCert_Assured_ID_Root_CA.crt, mozilla/ValiCert_Class_1_VA.crt, mozilla/Equifax_Secure_Global_eBusiness_CA.crt, mozilla/COMODO_ECC_Certification_Authority.crt, mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G2.crt, mozilla/GeoTrust_Global_CA_2.crt, mozilla/Thawte_Time_Stamping_CA.crt, mozilla/TDC_Internet_Root_CA.crt, mozilla/AddTrust_Public_Services_Root.crt, debconf.org/ca.crt, quovadis.bm/QuoVadis_Root_Certification_Authority.crt, spi-inc.org/spi-cacert-2008.crt, spi-inc.org/spi-ca-2003.crt, gouv.fr/cert_igca_dsa.crt, gouv.fr/cert_igca_rsa.crt, brasil.gov.br/brasil.gov.br.crt, cacert.org/root.crt, cacert.org/cacert.org.crt, cacert.org/class3.crt, telesec.de/deutsche-telekom-root-ca-2.crt, signet.pl/signet_ca3_pem.crt, signet.pl/signet_ca2_pem.crt, signet.pl/signet_pca2_pem.crt, signet.pl/signet_tsa1_pem.crt, signet.pl/signet_ca1_pem.crt, signet.pl/signet_ocspklasa2_pem.crt, signet.pl/signet_rootca_pem.crt, signet.pl/signet_pca3_pem.crt, signet.pl/signet_ocspklasa3_pem.crt"
 
 # CERTS_NEW: new certificates that will be installed
 CERTS_NEW=""
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index cc3e19b..8d57b86 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -1,8 +1,5 @@
 # One blacklist entry per line, corresponding to the label in certdata.txt.
 
-# Parent of "MD5 Collisions Forged Rogue CA 25c3"
-"Equifax Secure Global eBusiness CA"
-
 # MD5 Collision Proof of Concept CA
 "MD5 Collisions Forged Rogue CA 25c3"
 
diff --git a/sbin/update-ca-certificates b/sbin/update-ca-certificates
index 728e909..a34ef75 100755
--- a/sbin/update-ca-certificates
+++ b/sbin/update-ca-certificates
@@ -60,7 +60,9 @@ REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
 # bundle.
 add() {
   CERT="$1"
-  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
+  PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+                                                  -e 's/[()]/=/g' \
+                                                  -e 's/,/_/g').pem"
   if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
   then
     ln -sf "$CERT" "$PEM"
@@ -118,7 +120,7 @@ done
 # administrator.
 if [ -d "$LOCALCERTSDIR" ]
 then
-  find -L "$LOCALCERTSDIR" -type f | while read crt
+  find -L "$LOCALCERTSDIR" -type f -name '*.crt' | while read crt
   do
     add "$crt"
   done