diff --git a/README.edk2 b/README.edk2
new file mode 100644
index 0000000..ac669b6
--- /dev/null
+++ b/README.edk2
@@ -0,0 +1,13 @@
+This directory /etc/pki/ca-trust/extracted/edk2/ contains a
+CA certificate bundle file which is automatically created
+based on the information found in the
+/usr/share/pki/ca-trust-source/ and /etc/pki/ca-trust/source/
+directories.
+
+The file is in the EDK2 (EFI Development Kit II) file format.
+
+Please never manually edit the files stored in this directory,
+because your changes will be lost and the files automatically overwritten,
+each time the update-ca-trust command gets executed.
+
+Please refer to the update-ca-trust(8) manual page for additional information.
diff --git a/ca-certificates.spec b/ca-certificates.spec
index 6a8f472..a5e3078 100644
--- a/ca-certificates.spec
+++ b/ca-certificates.spec
@@ -38,7 +38,7 @@ Name: ca-certificates
 Version: 2018.2.24
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: Public Domain
 
 Group: System Environment/Base
@@ -60,7 +60,8 @@ Source13: README.extr
 Source14: README.java
 Source15: README.openssl
 Source16: README.pem
-Source17: README.src
+Source17: README.edk2
+Source18: README.src
 
 BuildArch: noarch
 
@@ -189,6 +190,7 @@ mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/pem
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl
 mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/java
+mkdir -p -m 755 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/anchors
 mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/blacklist
@@ -204,7 +206,8 @@ install -p -m 644 %{SOURCE13} $RPM_BUILD_ROOT%{catrustdir}/extracted/README
 install -p -m 644 %{SOURCE14} $RPM_BUILD_ROOT%{catrustdir}/extracted/java/README
 install -p -m 644 %{SOURCE15} $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/README
 install -p -m 644 %{SOURCE16} $RPM_BUILD_ROOT%{catrustdir}/extracted/pem/README
-install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/source/README
+install -p -m 644 %{SOURCE17} $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/README
+install -p -m 644 %{SOURCE18} $RPM_BUILD_ROOT%{catrustdir}/source/README
 
 install -p -m 644 %{name}/%{p11_format_bundle} $RPM_BUILD_ROOT%{_datadir}/pki/ca-trust-source/%{p11_format_bundle}
 
@@ -236,6 +239,8 @@ touch $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bund
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 touch $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
 chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/%{java_bundle}
+touch $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
+chmod 444 $RPM_BUILD_ROOT%{catrustdir}/extracted/edk2/cacerts.bin
 
 # /etc/ssl/certs symlink for 3rd-party tools
 ln -s ../pki/tls/certs \
@@ -337,6 +342,7 @@ fi
 %{catrustdir}/extracted/java/README
 %{catrustdir}/extracted/openssl/README
 %{catrustdir}/extracted/pem/README
+%{catrustdir}/extracted/edk2/README
 %{catrustdir}/source/README
 
 # symlinks for old locations
@@ -362,9 +368,13 @@ fi
 %ghost %{catrustdir}/extracted/pem/objsign-ca-bundle.pem
 %ghost %{catrustdir}/extracted/openssl/%{openssl_format_trust_bundle}
 %ghost %{catrustdir}/extracted/%{java_bundle}
+%ghost %{catrustdir}/extracted/edk2/cacerts.bin
 
 
 %changelog
+* Mon Jun 11 2018 Daiki Ueno <dueno@redhat.com> - 2018.2.24-4
+- Extract certificate bundle in EDK2 format, suggested by Laszlo Ersek
+
 * Mon Jun 04 2018 Kai Engert <kaie@redhat.com> - 2018.2.24-3
 - Adjust ghost file permissions, rhbz#1564432
 
diff --git a/update-ca-trust b/update-ca-trust
index 087aa92..fe03ed2 100644
--- a/update-ca-trust
+++ b/update-ca-trust
@@ -19,3 +19,4 @@ export P11_KIT_NO_USER_CONFIG=1
 /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose email $DEST/pem/email-ca-bundle.pem
 /usr/bin/p11-kit extract --format=pem-bundle --filter=ca-anchors --overwrite --comment --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
 /usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
+/usr/bin/p11-kit extract --format=edk2-cacerts --filter=ca-anchors --overwrite --purpose=server-auth $DEST/edk2/cacerts.bin
diff --git a/update-ca-trust.8.txt b/update-ca-trust.8.txt
index 892b68f..93143da 100644
--- a/update-ca-trust.8.txt
+++ b/update-ca-trust.8.txt
@@ -202,6 +202,15 @@ trusted for E-Mail protection.
 File objsign-ca-bundle.pem contains CA certificates 
 trusted for code signing.
 
+The directory /etc/pki/ca-trust/extracted/edk2/ contains a CA
+certificate bundle ("cacerts.bin") in the "sequence of
+EFI_SIGNATURE_LISTs" format, defined in the UEFI-2.7 specification,
+sections "31.4.1 Signature Database" and
+"EFI_CERT_X509_GUID". Distrust information cannot be represented in
+this file format, and distrusted certificates are missing from these
+files. File "cacerts.bin" contains CA certificates trusted for TLS
+server authentication.
+
 
 COMMANDS
 --------