diff --git a/slices/ca-certificates.yaml b/slices/ca-certificates.yaml
index 6d4b32bd5..adf3805d2 100644
--- a/slices/ca-certificates.yaml
+++ b/slices/ca-certificates.yaml
@@ -4,11 +4,38 @@ essential:
   - ca-certificates_copyright
 
 slices:
+  # This slice offers a standard chunk of the ca-certificates package.
+  # It contains the default certificates at /usr/share/ca-certificates/mozilla,
+  # a certificates bundle at /etc/ssl/certs/ca-certificates.crt and a config
+  # file at /etc/ca-certificates.conf.
   data:
+    essential:
+      - ca-certificates_data-no-certs
+    contents:
+      # This config file is generated by the deb's maintainer scripts.
+      /etc/ca-certificates.conf: {text: FIXME, mutable: true}
+      /usr/share/ca-certificates/mozilla/**:
+    mutate: |
+      certs_dir = "/usr/share/ca-certificates/mozilla/"
+      names = [
+        "mozilla/{}".format(name) for name in content.list(certs_dir)
+      ]
+      content.write("/etc/ca-certificates.conf", "\n".join(names))
+
+  # This slice only contains the certificates bundle at /etc/ssl/certs/ca-certificates.crt.
+  # To keep the individual certificates at /usr/share/ca-certificates/mozilla/ or the
+  # configuration file at /etc/ca-certificates.conf, please use the "data" slice.
+  # Please note that the mutation script (partially) mimics the deb's maintainer
+  # scripts to generate the certificates bundle.
+  data-no-certs:
+    essential:
+      # This adds the symlink at `etc/ssl/certs.pem` for OpenSSL to look up the
+      # bundled certificate file. See `openssl_data` for details.
+      - openssl_data
     contents:
       /etc/ssl/certs/ca-certificates.crt: {text: FIXME, mutable: true}
       /usr/share/ca-certificates/mozilla/: {until: mutate}
-      /usr/share/ca-certificates/mozilla/*: {until: mutate}
+      /usr/share/ca-certificates/mozilla/**: {until: mutate}
     mutate: |
       certs_dir = "/usr/share/ca-certificates/mozilla/"
       certs = [
@@ -16,6 +43,17 @@ slices:
       ]
       content.write("/etc/ssl/certs/ca-certificates.crt", "".join(certs))
 
+  bins:
+    essential:
+      - openssl_bins
+      # The `/usr/sbin/update-ca-certificates` script requires sed to run.
+      - sed_bins
+    contents:
+      # To run update-ca-certificates without breaking the default certificates
+      # at /etc/ssl/certs/ca-certificates.crt, the `_data-with-certs` slice should
+      # also be included. For details, see the `update-ca-certificates` script.
+      /usr/sbin/update-ca-certificates:
+
   copyright:
     contents:
       /usr/share/doc/ca-certificates/copyright: