RPM Conflict Resolution – Fixing p11-kit-trust and nss Conflicts

It has been a while since I updated one of my RHEL6 machines (except for the occasional update of specific packages with known vulnerabilities).

As a result of this, I have an old ca-certificates package:

• ca-certificates-2010.63-3.el6_1.5.noarch.

The new ca-certificates package depends on

• p11-kit-trust >= 0.18.4-2,

which in turn conflicts with

• nss < 3.14.3-33,

which is currently installed (as nss-3.13.3-6.el6.x86_64).
As a result, I cannot figure out how to correctly update ca-certificates.

I have p11-kit installed, but not p11-kit-trust, since nss blocks it. yum update nss says "No Packages marked for Update".

yum erase nss refuses, since it implies erasing yum as well.

The complete output from yum update looks like this:

Loaded plugins: product-id, rhnplugin, security, subscription-manager
This system is receiving updates from RHN Classic or RHN Satellite.
Setting up Update Process
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2010.63-3.el6_1.5 will be updated
---> Package ca-certificates.noarch 0:2014.1.98-65.1.el6 will be an update
--> Processing Dependency: p11-kit-trust >= 0.18.4-2 for package: ca-certificates-2014.1.98-65.1.el6.noarch
--> Running transaction check
---> Package p11-kit-trust.x86_64 0:0.18.5-2.el6_5.2 will be installed
--> Processing Conflict: p11-kit-trust-0.18.5-2.el6_5.2.x86_64 conflicts nss  Finished Dependency Resolution
Error: p11-kit-trust conflicts with nss-3.13.3-6.el6.x86_64
 You could try using --skip-broken to work around the problem
 You could try running: rpm -Va --nofiles --nodigest

package-cleanup --problems finds no problems, and package-cleanup --cleandupes finds no duplicates.

ca-certificates cannot be uninstalled, since openssl depends on it.

Is there a way that I can resolve this without using override parameters such as --dbonly, --force, --nodeps or similar, and without manually downloading an old RPM off the net?