diff --git a/NEWS b/NEWS
index 1003652eb..48142bc98 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,9 @@
 Noteworthy changes in version 2.1.3 (unreleased)
 ------------------------------------------------
 
+ * dirmngr: extra-certs and trusted-certs are now always loaded from
+   the sysconfig dir instead of the homedir.
+
 
 Noteworthy changes in version 2.1.2 (2015-02-11)
 ------------------------------------------------
diff --git a/dirmngr/certcache.c b/dirmngr/certcache.c
index 969b3ec19..7fc982684 100644
--- a/dirmngr/certcache.c
+++ b/dirmngr/certcache.c
@@ -435,11 +435,11 @@ cert_cache_init (void)
   init_cache_lock ();
   acquire_cache_write_lock ();
 
-  dname = make_filename (opt.homedir, "trusted-certs", NULL);
+  dname = make_filename (gnupg_sysconfdir (), "trusted-certs", NULL);
   load_certs_from_dir (dname, 1);
   xfree (dname);
 
-  dname = make_filename (opt.homedir_data, "extra-certs", NULL);
+  dname = make_filename (gnupg_sysconfdir (), "extra-certs", NULL);
   load_certs_from_dir (dname, 0);
   xfree (dname);
 
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index fd31b7f93..36a476aa6 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -800,7 +800,6 @@ main (int argc, char **argv)
 #else
       opt.homedir = gnupg_sysconfdir ();
 #endif
-      opt.homedir_data = gnupg_datadir ();
       opt.homedir_cache = gnupg_cachedir ();
       socket_name = dirmngr_sys_socket_name ();
     }
@@ -926,8 +925,6 @@ main (int argc, char **argv)
   if (nogreeting )
     greeting = 0;
 
-  if (!opt.homedir_data)
-    opt.homedir_data = opt.homedir;
   if (!opt.homedir_cache)
     opt.homedir_cache = opt.homedir;
 
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index bb368f252..3dd16a348 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -80,7 +80,6 @@ struct
   int dry_run;        /* don't change any persistent data */
   int batch;          /* batch mode */
   const char *homedir;      /* Configuration directory name */
-  const char *homedir_data; /* Ditto for data files (/usr/share/dirmngr).  */
   const char *homedir_cache; /* Ditto for cache files (/var/cache/dirmngr).  */
 
   char *config_filename;     /* Name of a config file, which will be
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index 5f2cfd438..6c413de26 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -143,9 +143,8 @@ running mode:
 @table @asis
 
 @item With @code{--daemon} given on the commandline
-the directory named @file{/etc/gnupg} for configuration files,
-@file{/var/lib/gnupg/} for extra data and @file{/var/cache/gnupg}
-for cached CRLs.
+the directory named @file{/etc/gnupg} is used for configuration files
+and @file{/var/cache/gnupg} for cached CRLs.
 
 @item Without @code{--daemon} given on the commandline
 the directory named @file{.gnupg} directly below the home directory
@@ -428,11 +427,9 @@ Dirmngr makes use of several directories when running in daemon mode:
 The first is the standard home directory for all configuration files.
 In the deprecated system daemon mode the second directory is used instead.
 
-@item ~/.gnupg/trusted-certs
-@itemx /etc/gnupg/trusted-certs
-The first directory should be filled with certificates of Root CAs you
-are trusting in checking the CRLs and signing OCSP Reponses.  The
-second directory is used in the deprecated systems daemon mode.
+@item /etc/gnupg/trusted-certs
+This directory should be filled with certificates of Root CAs you
+are trusting in checking the CRLs and signing OCSP Reponses.
 
 Usually these are the same certificates you use with the applications
 making use of dirmngr.  It is expected that each of these certificate
@@ -442,20 +439,22 @@ those certificates on startup and when given a SIGHUP.  Certificates
 which are not readable or do not make up a proper X.509 certificate
 are ignored; see the log file for details.
 
+Applications using dirmngr (e.g. gpgsm) can request these
+certificates to complete a trust chain in the same way as with the
+extra-certs directory (see below).
+
 Note that for OCSP responses the certificate specified using the option
 @option{--ocsp-signer} is always considered valid to sign OCSP requests.
 
-
-@item ~/.gnupg/extra-certs
-@itemx /var/lib/gnupg/extra-certs
-The first directory may contain extra certificates which are preloaded
-into the interal cache on startup.This is convenient in cases you have
-a couple intermediate CA certificates or certificates ususally used to
-sign OCSP reponses.  These certificates are first tried before going
+@item /etc/gnupg/extra-certs
+This directory may contain extra certificates which are preloaded
+into the interal cache on startup. Applications using dirmngr (e.g. gpgsm)
+can request cached certificates to complete a trust chain.
+This is convenient in cases you have a couple intermediate CA certificates
+or certificates ususally used to sign OCSP reponses.
+These certificates are first tried before going
 out to the net to look for them.  These certificates must also be
 @acronym{DER} encoded and suffixed with @file{.crt} or @file{.der}.
-The second directory is used instead in the deprecated systems daemon
-mode.
 
 @item /var/run/gnupg
 This directory is only used in the deprecated system daemon mode.  It