diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 9f7cad85a..852bcec82 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -645,7 +645,6 @@ class CertDB(object):
         return self.nssdb.export_pem_cert(nickname, location)
 
     def request_service_cert(self, nickname, principal, host, pwdconf=False):
-        self.create_from_cacert(paths.IPA_CA_CRT)
         if pwdconf:
             self.create_password_conf()
         reqid = certmonger.request_cert(nssdb=self.secdir,
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index a7d1b6474..7d283d0d8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -1252,6 +1252,7 @@ class DsInstance(service.Service):
         subject = self.subject_base or DN(('O', self.realm))
         nssdb_dir = config_dirname(self.serverid)
         db = certs.CertDB(self.realm, nssdir=nssdb_dir, subject_base=subject)
+        db.create_from_cacert(paths.IPA_CA_CRT)
         db.request_service_cert(self.nickname, self.principal, self.fqdn)
         db.create_pin_file()