diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 8be4e1f86..15433f663 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1241,8 +1241,9 @@ class CAInstance(DogtagInstance):
         except Exception as e:
             syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
 
-        DogtagInstance.update_cert_cs_cfg(
-            nickname, cert, directives, paths.CA_CS_CFG_PATH)
+        if nickname in directives:
+            DogtagInstance.update_cert_cs_cfg(
+                directives[nickname], cert, paths.CA_CS_CFG_PATH)
 
     def __create_ds_db(self):
         '''
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 9f094d834..b65628277 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -370,21 +370,20 @@ class DogtagInstance(service.Service):
             cmonger.stop()
 
     @staticmethod
-    def update_cert_cs_cfg(nickname, cert, directives, cs_cfg):
+    def update_cert_cs_cfg(directive, cert, cs_cfg):
         """
         When renewing a Dogtag subsystem certificate the configuration file
         needs to get the new certificate as well.
 
-        nickname is one of the known nicknames.
+        ``directive`` is the directive to update in CS.cfg
         cert is a DER-encoded certificate.
-        directives is the list of directives to be updated for the subsystem
         cs_cfg is the path to the CS.cfg file
         """
 
         with stopped_service('pki-tomcatd', 'pki-tomcat'):
             installutils.set_directive(
                 cs_cfg,
-                directives[nickname],
+                directive,
                 base64.b64encode(cert),
                 quotes=False,
                 separator='=')
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 67ad6544c..dc4472688 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -348,8 +348,9 @@ class KRAInstance(DogtagInstance):
             'subsystemCert cert-pki-kra': 'kra.subsystem.cert',
             'Server-Cert cert-pki-ca': 'kra.sslserver.cert'}
 
-        DogtagInstance.update_cert_cs_cfg(
-            nickname, cert, directives, paths.KRA_CS_CFG_PATH)
+        if nickname in directives:
+            DogtagInstance.update_cert_cs_cfg(
+                directives[nickname], cert, paths.KRA_CS_CFG_PATH)
 
     def __enable_instance(self):
         self.ldap_enable('KRA', self.fqdn, None, self.suffix)