Thanks for the report. The bug is an unfortunate side effect of the integration with ca-certificates. The installation of the certificate files under /usr/share/ca-certificates has the consequence that they are automatically linked to /etc/ssl/certs whenever the ca-certificates package is (re)configured.
In retrospect I should never have implemented the integration of the IGTF certificates with the system's ca-certificates; their purpose is so different that it does not make sense to trust them in general for e-mail signatures or web security. I am going to change the installation paths so none of this will happen anymore, but the piuparts test as run will still fail the upgrade; the bug is in the older version. Anyway, the symlinks are created by the ca-certificates package. Removing or reconfiguring ca-certificates gets rid of the symlinks.
