diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 47183bb22..d2c2c70e5 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -518,6 +518,18 @@ class CAInstance(service.Service):
         pent = pwd.getpwnam(self.pki_user)
         os.chown('/var/lib/pki-ca/conf/CS.cfg', pent.pw_uid, pent.pw_gid )
 
+        # Update the servlet mapping to so we use the agent interface rather
+        # than the end-user interface. The agent interface always requires
+        # client auth which lets us work work around the NSS change which
+        # disallows renegotation (CVE-2009-3555)
+        #
+        # The spaces here, while ugly, are required because update_file()
+        # escapes the incoming string.
+        installutils.update_file('/var/lib/%s/webapps/ca/WEB-INF/web.xml' % PKI_INSTANCE_NAME,
+            '      <url-pattern>   /ee/ca/profileSubmitSSLClient  </url-pattern>',
+            '      <url-pattern>   /agent/ca/profileSubmitSSLClient  </url-pattern>'
+)
+
         logging.debug("restarting ca instance")
         try:
             self.restart()
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 6e7eb82d1..4fb794c82 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -570,11 +570,11 @@ class CertDB(object):
             f = open(self.passwd_fname, "r")
             password = f.readline()
             f.close()
-            conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
+            conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
             conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
             conn.set_debuglevel(0)
 
-            conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
+            conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
             res = conn.getresponse()
             data = res.read()
             conn.close()
@@ -664,11 +664,11 @@ class CertDB(object):
             f = open(self.passwd_fname, "r")
             password = f.readline()
             f.close()
-            conn = nsslib.NSSConnection(self.host_name, 9444, dbdir=self.secdir)
+            conn = nsslib.NSSConnection(self.host_name, api.env.ca_agent_port, dbdir=self.secdir)
             conn.sslsock.set_client_auth_data_callback(client_auth_data_callback, "ipaCert", password, nss.get_default_certdb())
             conn.set_debuglevel(0)
 
-            conn.request("POST", "/ca/ee/ca/profileSubmit", params, headers)
+            conn.request("POST", "/ca/agent/ca/profileSubmitSSLClient", params, headers)
             res = conn.getresponse()
             data = res.read()
             conn.close()
diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 9b799d45d..b64636300 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1509,8 +1509,8 @@ class ra(rabase.rabase):
 
         # Call CMS
         http_status, http_reason_phrase, http_headers, http_body = \
-            self._sslget('/ca/ee/ca/profileSubmit',
-                         self.env.ca_ee_port,
+            self._sslget('/ca/agent/ca/profileSubmitSSLClient',
+                         self.env.ca_agent_port,
                          profileId='caIPAserviceCert',
                          cert_request_type=request_type,
                          cert_request=csr,