diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 715c35b08..3451a8e0a 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -76,6 +76,11 @@ def parse_options():
                       help="Signing algorithm of the IPA CA certificate")
     parser.add_option("-P", "--principal", dest="principal", sensitive=True,
                       default=None, help="User allowed to manage replicas")
+    parser.add_option("--subject-base", dest="subject_base",
+                      default=None,
+                      help=(
+                          "The certificate subject base "
+                          "(default O=<realm-name>)"))
 
     options, args = parser.parse_args()
     safe_options = parser.get_safe_opts(options)
@@ -194,14 +199,13 @@ def install_master(safe_options, options):
         if dm_password is None:
             sys.exit("Directory Manager password required")
 
-    config = api.Command['config_show']()['result']
-    subject_base = config['ipacertificatesubjectbase'][0]
-
     options.realm_name = api.env.realm
     options.domain_name = api.env.domain
     options.dm_password = dm_password
     options.host_name = api.env.host
-    options.subject_base = subject_base
+
+    if not options.subject_base:
+        options.subject_base = installutils.default_subject_base(api.env.realm)
 
     ca.install_check(True, None, options)
     ca.install(True, None, options)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index b5b2f2aaf..7b67110e2 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -15,6 +15,7 @@ import six
 
 from ipalib.install import certstore
 from ipalib.install.service import enroll_only, master_install_only, replica_install_only
+from ipaserver.install import sysupgrade
 from ipapython.install import typing
 from ipapython.install.core import knob
 from ipaserver.install import (cainstance,
@@ -212,6 +213,13 @@ def install_step_0(standalone, replica_config, options):
         ra_only = not replica_config.setup_ca
         promote = options.promote
 
+    # if upgrading from CA-less to CA-ful, need to rewrite
+    # subject_base configuration
+    #
+    set_subject_base_in_config(subject_base)
+    sysupgrade.set_upgrade_state(
+        'certmap.conf', 'subject_base', str(subject_base))
+
     ca = cainstance.CAInstance(realm_name, certs.NSS_DIR,
                                host_name=host_name)
     ca.configure_instance(host_name, dm_password, dm_password,