diff --git a/library/ipadiscovery.py b/library/ipadiscovery.py
index a42bc8565230eb1b28e8b8bb69c2dddd85924e74..757ce221d5fee2d5de1ed025546eba5b2266c51a 100644
--- a/library/ipadiscovery.py
+++ b/library/ipadiscovery.py
@@ -48,6 +48,9 @@ options:
   hostname:
     description: The authorized kerberos principal used to join the IPA realm.
     required: false
+  ca_cert_file:
+    description: A CA certificate to use.
+    required: false
   check:
     description: Check if IPA client is installed and matching.
     required: false
@@ -147,6 +150,22 @@ from ipaclient.install import ipadiscovery
 from ipalib.install.sysrestore import SYSRESTORE_STATEFILE
 from ipaplatform.paths import paths
 
+def get_cert_path(cert_path):
+    """
+    If a CA certificate is passed in on the command line, use that.
+
+    Else if a CA file exists in paths.IPA_CA_CRT then use that.
+
+    Otherwise return None.
+    """
+    if cert_path is not None:
+        return cert_path
+
+    if os.path.exists(paths.IPA_CA_CRT):
+        return paths.IPA_CA_CRT
+
+    return None
+
 def is_client_configured():
     """
     Check if ipa client is configured.
@@ -188,6 +207,7 @@ def main():
             domain=dict(required=False),
             realm=dict(required=False),
             hostname=dict(required=False),
+            ca_cert_file=dict(required=False),
             check=dict(required=False, type='bool', default=False),
         ),
         # required_one_of = ( [ '', '' ] ),
@@ -199,6 +219,7 @@ def main():
     opt_servers = module.params.get('servers')
     opt_realm = module.params.get('realm')
     opt_hostname = module.params.get('hostname')
+    opt_ca_cert_file = module.params.get('ca_cert_file')
     opt_check = module.params.get('check')
 
     hostname = None
@@ -238,7 +259,7 @@ def main():
         servers=opt_servers,
         realm=opt_realm,
         hostname=hostname,
-        ca_cert_path=None)
+        ca_cert_path=get_cert_path(opt_ca_cert_file))
 
     if opt_servers and ret != 0:
         # There is no point to continue with installation as server list was
@@ -276,7 +297,7 @@ def main():
             domain=cli_domain,
             servers=opt_servers,
             hostname=hostname,
-            ca_cert_path=None)
+            ca_cert_path=get_cert_path(opt_ca_cert_file))
 
     if not cli_domain:
         if ds.domain:
@@ -299,7 +320,7 @@ def main():
             domain=cli_domain,
             servers=cli_server,
             hostname=hostname,
-            ca_cert_path=None)
+            ca_cert_path=get_cert_path(opt_ca_cert_file))
 
     else:
         # Only set dnsok to True if we were not passed in one or more servers
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 79476d2484fa264bcb9cb3c5c8c4fca9e45a3b5a..b635c00c1c244eaa6bff0194ebcd352b4776cae3 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -12,6 +12,7 @@
     servers: "{{ groups.ipaservers | default(omit) }}"
     realm: "{{ ipaclient_realm | default(omit) }}"
     hostname: "{{ ansible_fqdn }}"
+    #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
     check: yes
   register: ipadiscovery