diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
new file mode 100644
index 0000000000..ce86101ce7
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
@@ -0,0 +1,3 @@
+d	/etc/ssl		-	-	-	-	-
+d	/etc/ssl/private	0700	-	-	-	-
+L	/etc/ssl/openssl.cnf	-	-	-	-	../../usr/share/ssl/openssl.cnf
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1g.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1g.ebuild
index 7a3f675be5..8f3f524377 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1g.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1g.ebuild
@@ -1,9 +1,12 @@
+# Difference to upstream from ./update_ebuilds:
+# - Ported changes from 7b591fb2e0ec7a0f9fe43218f9196d825b5f9653
+#
 # Copyright 1999-2020 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI="7"
 
-inherit flag-o-matic toolchain-funcs multilib multilib-minimal
+inherit flag-o-matic toolchain-funcs multilib multilib-minimal systemd
 
 MY_P=${P/_/-}
 
@@ -284,9 +287,6 @@ multilib_src_install_all() {
 	# twice; once with shared lib support enabled and once without.
 	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
 
-	# create the certs directory
-	keepdir ${SSL_CNF_DIR}/certs
-
 	# Namespace openssl programs to prevent conflicts with other man pages
 	cd "${ED}"/usr/share/man || die
 	local m d s
@@ -313,12 +313,15 @@ multilib_src_install_all() {
 	dodir /etc/sandbox.d #254521
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
 
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
-}
+	# Don't keep the sample CA files and their ilk in /etc.
+	rm -r "${ED}"${SSL_CNF_DIR}
 
-pkg_postinst() {
-	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
-	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
-	eend $?
+	# Save the default openssl.cnf in /usr and link it into place.
+	dodir /usr/share/ssl
+	insinto /usr/share/ssl
+	doins "${S}"/apps/openssl.cnf
+	systemd_dotmpfilesd "${FILESDIR}"/openssl.conf
+
+	# Package the tmpfiles.d setup for SDK bootstrapping.
+	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
 }