diff --git a/tests/external-signed-ca-with-automatic-copy/external-ca.sh b/tests/external-signed-ca-with-automatic-copy/external-ca.sh
new file mode 100644
index 0000000000000000000000000000000000000000..bf4cb69601992178564abe65a918c97e8e9f09a8
--- /dev/null
+++ b/tests/external-signed-ca-with-automatic-copy/external-ca.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+master=$1
+if [ -z "$master" ]; then
+    echo "ERROR: master is not set"
+    echo
+    echo "usage: $0 master-fqdn domain"
+    exit 0;
+fi
+
+PASSWORD="SomeCApassword"
+DBDIR="${master}-nssdb"
+PWDFILE="$DBDIR/pwdfile.txt"
+NOISE="/etc/passwd"
+
+domain=$2
+if [ -z "$domain" ]; then
+    echo "ERROR: domain is not set"
+    echo
+    echo "usage: $0 master-fqdn domain"
+    exit 0;
+fi
+
+if [ ! -f "${master}-ipa.csr" ]; then
+    echo "ERROR: ${master}-ipa.csr missing"
+    exit 1;
+fi
+
+ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+
+rm -rf "$DBDIR"
+mkdir "$DBDIR"
+echo "$PASSWORD" > "$PWDFILE"
+certutil -N -d "$DBDIR" -f "$PWDFILE"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
+  | certutil -d "$DBDIR"  -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
+    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
+
+openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
+  | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
+    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
+
+openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
+certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
+cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
+
+cp "$DBDIR/chain.crt" "${master}-chain.crt"
diff --git a/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml b/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e856fb40f8f148d1abe1975908f3d52a83be7939
--- /dev/null
+++ b/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml
@@ -0,0 +1,36 @@
+---
+- name: Playbook to configure IPA server step1
+  hosts: ipaserver
+  become: true
+  vars:
+    ipaserver_external_ca: yes
+    ipaserver_copy_csr_to_controller: yes
+
+  roles:
+  - role: ipaserver
+    state: present
+
+- name: Create CA, get /root/ipa.csr signed by your CA, ..
+  hosts: localhost
+  gather_facts: false
+
+  tasks:
+  - name: Run external-ca.sh
+    command: >
+      /bin/bash
+      external-ca.sh
+      "{{ groups.ipaserver[0] }}"
+      "{{ ipaserver_domain | default(groups.ipaserver[0].split('.')[1:] | join ('.')) }}"
+    args:
+      chdir: "{{ playbook_dir }}"
+
+- name: Playbook to configure IPA server step2
+  hosts: ipaserver
+  become: true
+  vars:
+    ipaserver_external_cert_files_from_controller: "{{ groups.ipaserver[0] + '-chain.crt' }}"
+    #ipaserver_external_ca_file: "{{ groups.ipaserver[0] + '-cacert.asc' }}"
+
+  roles:
+  - role: ipaserver
+    state: present
diff --git a/tests/external-signed-ca-with-automatic-copy/inventory b/tests/external-signed-ca-with-automatic-copy/inventory
new file mode 100644
index 0000000000000000000000000000000000000000..e1694c0bde56b4e2e2c66d9c249dee1863298d8e
--- /dev/null
+++ b/tests/external-signed-ca-with-automatic-copy/inventory
@@ -0,0 +1,8 @@
+[ipaserver]
+ipaserver.test.local
+
+[ipaservcer:vars]
+ipaadmin_password=SomeADMINpassword
+ipadm_password=SomeDMpassword
+ipaserver_domain=test.local
+ipaserver_realm=TEST.LOCAL
diff --git a/tests/external-signed-ca-with-manual-copy/external-ca.sh b/tests/external-signed-ca-with-manual-copy/external-ca.sh
new file mode 100644
index 0000000000000000000000000000000000000000..bf4cb69601992178564abe65a918c97e8e9f09a8
--- /dev/null
+++ b/tests/external-signed-ca-with-manual-copy/external-ca.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+master=$1
+if [ -z "$master" ]; then
+    echo "ERROR: master is not set"
+    echo
+    echo "usage: $0 master-fqdn domain"
+    exit 0;
+fi
+
+PASSWORD="SomeCApassword"
+DBDIR="${master}-nssdb"
+PWDFILE="$DBDIR/pwdfile.txt"
+NOISE="/etc/passwd"
+
+domain=$2
+if [ -z "$domain" ]; then
+    echo "ERROR: domain is not set"
+    echo
+    echo "usage: $0 master-fqdn domain"
+    exit 0;
+fi
+
+if [ ! -f "${master}-ipa.csr" ]; then
+    echo "ERROR: ${master}-ipa.csr missing"
+    exit 1;
+fi
+
+ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
+
+rm -rf "$DBDIR"
+mkdir "$DBDIR"
+echo "$PASSWORD" > "$PWDFILE"
+certutil -N -d "$DBDIR" -f "$PWDFILE"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
+  | certutil -d "$DBDIR"  -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
+    -s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
+
+openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
+echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
+  | certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
+    -i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
+
+openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
+certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
+cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
+
+cp "$DBDIR/chain.crt" "${master}-chain.crt"
diff --git a/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml b/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml
new file mode 100644
index 0000000000000000000000000000000000000000..33b466ca2581cce976f75236be010a11a305ccc6
--- /dev/null
+++ b/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml
@@ -0,0 +1,49 @@
+---
+- name: Playbook to configure IPA server step1
+  hosts: ipaserver
+  become: true
+  vars:
+    ipaserver_external_ca: yes
+
+  roles:
+  - role: ipaserver
+    state: present
+
+  post_tasks:
+  - name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
+    fetch:
+      src: /root/ipa.csr
+      dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
+      flat: yes
+
+- name: Get /root/ipa.csr, create CA, sign with our CA and copy to node
+  hosts: localhost
+  gather_facts: false
+
+  tasks:
+  - name: Run external-ca.sh
+    command: >
+      /bin/bash
+      external-ca.sh
+      "{{ groups.ipaserver[0] }}"
+      "{{ ipaserver_domain | default(groups.ipaserver[0].split('.')[1:] | join ('.')) }}"
+    args:
+      chdir: "{{ playbook_dir }}"
+
+- name: Playbook to configure IPA server step2
+  hosts: ipaserver
+  become: true
+  vars:
+    ipaserver_external_cert_files: "/root/chain.crt"
+    #ipaserver_external_ca_file: "cacert.asc"
+
+  pre_tasks:
+  - name: Copy "{{ groups.ipaserver[0] + '-chain.crt' }}" to /root/chain.crt on node
+    copy:
+      src: "{{ groups.ipaserver[0] + '-chain.crt' }}"
+      dest: "/root/chain.crt"
+      force: yes
+
+  roles:
+  - role: ipaserver
+    state: present
diff --git a/tests/external-signed-ca-with-manual-copy/inventory b/tests/external-signed-ca-with-manual-copy/inventory
new file mode 100644
index 0000000000000000000000000000000000000000..e1694c0bde56b4e2e2c66d9c249dee1863298d8e
--- /dev/null
+++ b/tests/external-signed-ca-with-manual-copy/inventory
@@ -0,0 +1,8 @@
+[ipaserver]
+ipaserver.test.local
+
+[ipaservcer:vars]
+ipaadmin_password=SomeADMINpassword
+ipadm_password=SomeDMpassword
+ipaserver_domain=test.local
+ipaserver_realm=TEST.LOCAL