diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index 3cc020896..746c534dc 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -16,7 +16,7 @@ from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import ipautil
 from ipapython.install.core import group
-from ipaserver.install import cainstance
+from ipaserver.install import ca, cainstance
 from ipaserver.install import krainstance
 from ipaserver.install import dsinstance
 from ipaserver.install import service as _service
@@ -86,10 +86,13 @@ def install(api, replica_config, options, custodia):
         master_host = replica_config.kra_host_name
         promote = True
 
+    ca_subject = ca.lookup_ca_subject(api, subject_base)
+
     kra = krainstance.KRAInstance(realm_name)
     kra.configure_instance(
         realm_name, host_name, dm_password, dm_password,
         subject_base=subject_base,
+        ca_subject=ca_subject,
         pkcs12_info=pkcs12_info,
         master_host=master_host,
         promote=promote,
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 4f8849b73..46c9c63ea 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -81,7 +81,7 @@ class KRAInstance(DogtagInstance):
 
     def configure_instance(self, realm_name, host_name, dm_password,
                            admin_password, pkcs12_info=None, master_host=None,
-                           subject_base=None, subject=None,
+                           subject_base=None, ca_subject=None,
                            promote=False, pki_config_override=None):
         """Create a KRA instance.
 
@@ -99,8 +99,9 @@ class KRAInstance(DogtagInstance):
 
         self.subject_base = \
             subject_base or installutils.default_subject_base(realm_name)
-        self.subject = \
-            subject or installutils.default_ca_subject_dn(self.subject_base)
+
+        # eagerly convert to DN to ensure validity
+        self.ca_subject = DN(ca_subject)
 
         self.realm = realm_name
         self.suffix = ipautil.realm_to_suffix(realm_name)
@@ -258,7 +259,7 @@ class KRAInstance(DogtagInstance):
             userCertificate=[cert],
             description=['2;%s;%s;%s' % (
                 cert.serial_number,
-                DN(self.subject),
+                self.ca_subject,
                 DN(('CN', 'IPA RA'), self.subject_base))])
         conn.add_entry(entry)