diff --git a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
index 95424615cfda4cacc5e726ceeb9a9a2c5df98617..922c888001f7e262fd495c55c6379090054af8b5 100644
--- a/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
+++ b/roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
@@ -64,6 +64,12 @@ options:
   _ca_file:
     description: 
     required: yes
+  _kra_enabled:
+    description: 
+    required: yes
+  _kra_host_name:
+    description: 
+    required: yes
   _dirsrv_pkcs12_info:
     description: 
     required: yes
@@ -103,6 +109,8 @@ def main():
             ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _ca_file=dict(required=False),
+            _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
             _top_dir = dict(required=True),
@@ -135,6 +143,8 @@ def main():
     #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
     #installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
+    kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
     dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
     options._top_dir = ansible_module.params.get('_top_dir')
@@ -161,6 +171,8 @@ def main():
     config.ca_host_name = config_ca_host_name
     config.subject_base = options.subject_base
     config.promote = installer.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
     installer._remote_api = remote_api
diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py
index 35b288f2d502220b1e67a75ba68165e488a97e0a..d54a746bc77de39a30b8fdbc7fd20c00589b5cf9 100644
--- a/roles/ipareplica/library/ipareplica_enable_ipa.py
+++ b/roles/ipareplica/library/ipareplica_enable_ipa.py
@@ -49,6 +49,9 @@ options:
   setup_ca:
     description: Configure a dogtag CA
     required: yes
+  setup_kra:
+    description: Configure KRA
+    required: yes
   config_master_host_name:
     description: The master host name
     required: yes
@@ -77,6 +80,7 @@ def main():
             ccache=dict(required=True),
             _top_dir = dict(required=True),
             setup_ca=dict(required=True, type='bool'),
+            setup_kra=dict(required=True, type='bool'),
             config_master_host_name=dict(required=True),
         ),
         supports_check_mode = True,
@@ -100,6 +104,7 @@ def main():
     os.environ['KRB5CCNAME'] = ccache
     options._top_dir = ansible_module.params.get('_top_dir')
     options.setup_ca = ansible_module.params.get('setup_ca')
+    options.setup_kra = ansible_module.params.get('setup_kra')
     config_master_host_name = ansible_module.params.get('config_master_host_name')
 
     # init #
diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index 55994d2b0a3629cc1c0b8a960d4744ba1203233d..a9b1bcd19bb9df0d0474c67104dee2acfb66370e 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -728,6 +728,7 @@ def main():
                              config_setup_ca=config.setup_ca,
                              config_master_host_name=config.master_host_name,
                              config_ca_host_name=config.ca_host_name,
+                             config_kra_host_name=config.kra_host_name,
                              config_ips=[ str(ip) for ip in config.ips ],
                              ### ad trust ###
                              rid_base=options.rid_base,
diff --git a/roles/ipareplica/library/ipareplica_setup_ca.py b/roles/ipareplica/library/ipareplica_setup_ca.py
index fb95bea599d0a916b7debe7ef26ca0d5434839b1..788fdae29334a2200b382c22f97cf533a5f7fc91 100644
--- a/roles/ipareplica/library/ipareplica_setup_ca.py
+++ b/roles/ipareplica/library/ipareplica_setup_ca.py
@@ -61,6 +61,12 @@ options:
   _ca_file:
     description: 
     required: yes
+  _kra_enabled:
+    description:
+    required: yes
+  _kra_host_name:
+    description:
+    required: yes
   _dirsrv_pkcs12_info:
     description: 
     required: yes
@@ -118,6 +124,8 @@ def main():
             ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _ca_file=dict(required=False),
+            _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
             _top_dir = dict(required=True),
@@ -152,6 +160,8 @@ def main():
     #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
     #installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
+    kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
     installer._dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     installer._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
     options._top_dir = ansible_module.params.get('_top_dir')
@@ -190,6 +200,8 @@ def main():
     config.ca_host_name = config_ca_host_name
     config.ips = config_ips
     config.promote = options.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
     options._remote_api = remote_api
@@ -213,7 +225,10 @@ def main():
         if not hasattr(custodiainstance, "get_custodia_instance"):
             ca.install(False, config, options)
         else:
-            if ca_enabled:
+            if kra_enabled:
+                # A KRA peer always provides a CA, too.
+                mode = custodiainstance.CustodiaModes.KRA_PEER
+            elif ca_enabled:
                 mode = custodiainstance.CustodiaModes.CA_PEER
             else:
                 mode = custodiainstance.CustodiaModes.MASTER_PEER
diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py
index a7fcc407cde9b5d9ed5682afebee40364f858ae9..ad950ad4cfa455ddf3cb215f5339c0910724675d 100644
--- a/roles/ipareplica/library/ipareplica_setup_custodia.py
+++ b/roles/ipareplica/library/ipareplica_setup_custodia.py
@@ -64,6 +64,12 @@ options:
   _ca_file:
     description: 
     required: yes
+  _kra_enabled:
+    description:
+    required: yes
+  _kra_host_name:
+    description:
+    required: yes
   _top_dir:
     description: 
     required: yes
@@ -98,6 +104,8 @@ def main():
             ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _ca_file=dict(required=False),
+            _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
             _top_dir = dict(required=True),
@@ -127,6 +135,8 @@ def main():
     #os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
     #installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
+    kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
     dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     options._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
     options._top_dir = ansible_module.params.get('_top_dir')
@@ -149,6 +159,8 @@ def main():
     config = gen_ReplicaConfig()
     config.dirman_password = dirman_password
     config.promote = installer.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
     #installer._remote_api = remote_api
@@ -174,7 +186,10 @@ def main():
                 ansible_log.debug("-- CUSTODIA CREATE_INSTANCE --")
                 custodia.create_instance()
         else:
-            if ca_enabled:
+            if kra_enabled:
+                # A KRA peer always provides a CA, too.
+                mode = custodiainstance.CustodiaModes.KRA_PEER
+            elif ca_enabled:
                 mode = custodiainstance.CustodiaModes.CA_PEER
             else:
                 mode = custodiainstance.CustodiaModes.MASTER_PEER
diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py
index 961f15f76ba36fb1ad71c5fe7ef7b7fd3e2df544..fadb94dc786df3e6a04901f3ec3407de29e820e3 100644
--- a/roles/ipareplica/library/ipareplica_setup_kra.py
+++ b/roles/ipareplica/library/ipareplica_setup_kra.py
@@ -115,6 +115,7 @@ def main():
             installer_ccache=dict(required=True),
             _ca_enabled=dict(required=False, type='bool'),
             _kra_enabled=dict(required=False, type='bool'),
+            _kra_host_name=dict(required=False),
             _dirsrv_pkcs12_info = dict(required=False),
             _http_pkcs12_info = dict(required=False),
             _pkinit_pkcs12_info = dict(required=False),
@@ -176,6 +177,7 @@ def main():
     installer._ccache = ansible_module.params.get('installer_ccache')
     ca_enabled = ansible_module.params.get('_ca_enabled')
     kra_enabled = ansible_module.params.get('_kra_enabled')
+    kra_host_name = ansible_module.params.get('_kra_host_name')
 
     dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
     http_pkcs12_info = ansible_module.params.get('_http_pkcs12_info')
@@ -206,6 +208,8 @@ def main():
     config = gen_ReplicaConfig()
     config.subject_base = options.subject_base
     config.promote = installer.promote
+    config.kra_enabled = kra_enabled
+    config.kra_host_name = kra_host_name
 
     remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
     installer._remote_api = remote_api
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 1bb89dcbd7c296245598ba54b89355df22efb7d0..97cbd413c1e7aaa6cca0df4b24d69f67621a206c 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -508,6 +508,8 @@
         "{{ result_ipareplica_prepare.config_master_host_name }}"
       ccache: "{{ result_ipareplica_prepare.ccache }}"
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
+      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _ca_file: "{{ result_ipareplica_prepare._ca_file }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -527,6 +529,8 @@
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
       _ca_file: "{{ result_ipareplica_prepare._ca_file }}"
       _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
+      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -609,6 +613,7 @@
       installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
       _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
       _http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
@@ -653,6 +658,8 @@
       ccache: "{{ result_ipareplica_prepare.ccache }}"
       _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
       _ca_file: "{{ result_ipareplica_prepare._ca_file }}"
+      _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+      _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
       dirman_password: "{{ ipareplica_dirman_password }}"
@@ -733,6 +740,8 @@
       hostname: "{{ result_ipareplica_test.hostname }}"
       hidden_replica: "{{ ipareplica_hidden_replica }}"
       ### server ###
+      ### replica ###
+      setup_kra: "{{ result_ipareplica_test.setup_kra }}"
       ### certificate system ###
       subject_base: "{{ result_ipareplica_prepare.subject_base }}"
       ### additional ###