As usual, as soon as I ask the question, I find an answer:
https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/IGT2fLJrAeo

Now I just need a solution which doesn't involve re-building all the certificates, because some of those I use cannot be rebuilt.