If we revert the dependency bump on ca-certificates, we could upload the remaining changes now. I've tested all buster->bullseye upgrade paths involving ca-certificates-java with this new version as a target and haven't encountered any upgrade issues. The dependency bump (and creation of the fresh flag file) can be reinstated (with an updated version number) once the corresponding fixes are in ca-certificates.