diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index 63f1dcbdc97a74f1319d73dcfac045e351d82cff..d4464a9389c3a5ce24cea700e42fdf6c9f9ae7cb 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -250,6 +250,10 @@ options:
     type: bool
     default: no
     required: no
+  client_configured:
+    description: Was client configured already
+    type: bool
+    required: yes
 author:
     - Thomas Woerner (@t-woerner)
 '''
@@ -275,7 +279,8 @@ from ansible.module_utils.ansible_ipa_replica import (
     check_domain_level_is_supported, errors, ScriptError, setup_logging,
     logger, check_dns_resolution, service, find_providing_server, ca, kra,
     dns, no_matching_interface_for_ip_address_warning, adtrust,
-    constants, api, redirect_stdout, replica_conn_check, tasks
+    constants, api, redirect_stdout, replica_conn_check, tasks,
+    install_ca_cert
 )
 from ansible.module_utils import six
 
@@ -353,6 +358,7 @@ def main():
             skip_conncheck=dict(required=False, type='bool'),
             sid_generation_always=dict(required=False, type='bool',
                                        default=False),
+            ipa_client_installed=dict(required=True, type='bool'),
         ),
         supports_check_mode=False,
     )
@@ -436,6 +442,7 @@ def main():
     # options._random_serial_numbers is generated by ca.install_check and
     # later used by ca.install in the _setup_ca module.
     options._random_serial_numbers = False
+    ipa_client_installed = ansible_module.params.get('ipa_client_installed')
 
     # init #
 
@@ -601,10 +608,20 @@ def main():
     ansible_log.debug("-- CA_CRT --")
 
     cafile = paths.IPA_CA_CRT
-    if not os.path.isfile(cafile):
-        ansible_module.fail_json(
-            msg="CA cert file is not available! Please reinstall"
-            "the client and try again.")
+    if install_ca_cert is not None:
+        if not os.path.isfile(cafile):
+            ansible_module.fail_json(
+                msg="CA cert file is not available! Please reinstall"
+                "the client and try again.")
+    else:
+        if ipa_client_installed:
+            # host was already an IPA client, refresh client cert stores to
+            # ensure we have up to date CA certs.
+            try:
+                ipautil.run([paths.IPA_CERTUPDATE])
+            except ipautil.CalledProcessError:
+                ansible_module.fail_json(
+                    msg="ipa-certupdate failed to refresh certs.")
 
     ansible_log.debug("-- REMOTE_API --")
 
diff --git a/roles/ipareplica/library/ipareplica_test.py b/roles/ipareplica/library/ipareplica_test.py
index 95bd7e32c975ac5b22e23e8ff053044e4af6d0b7..fabb52aa376b7923d2c964f8cdac801277db6a05 100644
--- a/roles/ipareplica/library/ipareplica_test.py
+++ b/roles/ipareplica/library/ipareplica_test.py
@@ -191,7 +191,7 @@ from ansible.module_utils.ansible_ipa_replica import (
     paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
     redirect_stdout, create_ipa_conf, ipautil,
     x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec, adtrustinstance
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
 )
 
 
@@ -542,7 +542,8 @@ def main():
         # additional
         client_enrolled=client_enrolled,
         change_master_for_certmonger=change_master_for_certmonger,
-        sid_generation_always=sid_generation_always
+        sid_generation_always=sid_generation_always,
+        install_ca_certs=install_ca_cert is not None
     )
 
 
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index f798833a8a3c54cfcc07c64ba2f2ca12601759d7..c244e288589246e22125eaa557016ca287b4e163 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -144,7 +144,7 @@ try:
         from ipaserver.install.replication import (
             ReplicationManager, replica_conn_check)
         from ipaserver.install.server.replicainstall import (
-            make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
+            make_pkcs12_info, install_replica_ds, install_krb,
             install_http, install_dns_records, create_ipa_conf, check_dirsrv,
             check_dns_resolution, configure_certmonger,
             remove_replica_info_dir,
@@ -157,6 +157,11 @@ try:
             # ensure_enrolled,
             promotion_check_ipa_domain
         )
+        try:
+            from ipaserver.install.server.replicainstall import \
+                install_ca_cert
+        except ImportError:
+            install_ca_cert = None
         import SSSDConfig
         from subprocess import CalledProcessError
 
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index fe63879c3ba8be5a486a4bdf892e027d4c33568c..076842a38448add1873846d2c06e9e2e0f3ebf16 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -209,6 +209,7 @@
       server: "{{ result_ipareplica_test.server }}"
       skip_conncheck: "{{ ipareplica_skip_conncheck }}"
       sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
+      ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}"
     register: result_ipareplica_prepare
 
   - name: Install - Add to ipaservers
@@ -276,6 +277,7 @@
       config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
       config_ips: "{{ result_ipareplica_prepare.config_ips }}"
     register: result_ipareplica_install_ca_certs
+    when: result_ipareplica_test.install_ca_certs
 
   - name: Install - Setup DS
     ipareplica_setup_ds: