diff --git a/.gitignore b/.gitignore
index 8b57dbcdd..8f4c2aa7a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -77,7 +77,6 @@ freeipa2-dev-doc
 /daemons/dnssec/ipa-ods-exporter.socket
 /daemons/ipa-kdb/ipa_kdb_tests
 /daemons/ipa-kdb/tests/.dirstamp
-/daemons/ipa-kdb/ipa-certauth
 /daemons/ipa-otpd/ipa-otpd
 /daemons/ipa-otpd/ipa-otpd.socket
 /daemons/ipa-otpd/ipa-otpd@.service
diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 259bc3b20..5669349af 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -44,12 +44,6 @@ dist_noinst_DATA = ipa_kdb.exports
 
 if BUILD_IPA_CERTAUTH_PLUGIN
 ipadb_la_SOURCES += ipa_kdb_certauth.c
-
-
-krb5confdir = $(sysconfdir)/krb5.conf.d
-krb5conf_DATA = ipa-certauth
-else
-dist_noinst_DATA += ipa-certauth
 endif
 
 ipadb_la_LDFLAGS = 		\
diff --git a/daemons/ipa-kdb/ipa-certauth b/daemons/ipa-kdb/ipa-certauth
deleted file mode 100644
index 6fde08284..000000000
--- a/daemons/ipa-kdb/ipa-certauth
+++ /dev/null
@@ -1,5 +0,0 @@
-[plugins]
- certauth = {
-  module = ipakdb:kdb/ipadb.so
-  enable_only = ipakdb
- }
diff --git a/freeipa.spec.in b/freeipa.spec.in
index f3cf43376..b03cd7cbf 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1213,7 +1213,6 @@ fi
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
 %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
-%config(noreplace) %{_sysconfdir}/krb5.conf.d/ipa-certauth
 %dir %{_libexecdir}/ipa/certmonger
 %attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
 # NOTE: systemd specific section
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 1f18ff90d..e3420e537 100644
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -1,4 +1,4 @@
-includedir /etc/krb5.conf.d/
+$INCLUDES
 includedir /var/lib/sss/pubconf/krb5.include.d/
 
 [logging]
@@ -35,3 +35,8 @@ $OTHER_DOMAIN_REALM_MAPS
     db_library = ipadb.so
   }
 
+[plugins]
+ certauth = {
+  module = ipakdb:kdb/ipadb.so
+  enable_only = ipakdb
+ }
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 46d57b0db..cccef4f88 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -640,14 +640,18 @@ def configure_krb5_conf(
             'value': 'File modified by ipa-client-install'
         },
         krbconf.emptyLine(),
-        {
-            'name': 'includedir',
-            'type': 'option',
-            'value': paths.COMMON_KRB5_CONF_DIR,
-            'delim': ' '
-        }
     ]
 
+    if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+        opts.extend([
+            {
+                'name': 'includedir',
+                'type': 'option',
+                'value': paths.COMMON_KRB5_CONF_DIR,
+                'delim': ' '
+            }
+        ])
+
     # SSSD include dir
     if configure_sssd:
         opts.extend([
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 6b51e65d1..f0875fbc9 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -249,6 +249,11 @@ class KrbInstance(service.Service):
             root_logger.critical("krb5kdc service failed to start")
 
     def __setup_sub_dict(self):
+        if os.path.exists(paths.COMMON_KRB5_CONF_DIR):
+            includes = 'includedir {}'.format(paths.COMMON_KRB5_CONF_DIR)
+        else:
+            includes = ''
+
         self.sub_dict = dict(FQDN=self.fqdn,
                              IP=self.ip,
                              PASSWORD=self.kdc_password,
@@ -264,7 +269,8 @@ class KrbInstance(service.Service):
                              KDC_KEY=paths.KDC_KEY,
                              CACERT_PEM=paths.CACERT_PEM,
                              KDC_CA_BUNDLE_PEM=paths.KDC_CA_BUNDLE_PEM,
-                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
+                             CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM,
+                             INCLUDES=includes)
 
         # IPA server/KDC is not a subdomain of default domain
         # Proper domain-realm mapping needs to be specified
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index ba22c38b9..6b34d0cfe 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1553,6 +1553,38 @@ def setup_pkinit(krb):
         aug.close()
 
 
+def enable_certauth(krb):
+    root_logger.info("[Enable certauth]")
+
+    aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD,
+                 loadpath=paths.USR_SHARE_IPA_DIR)
+    try:
+        aug.transform('IPAKrb5', paths.KRB5_CONF)
+        aug.load()
+
+        path = '/files{}/plugins/certauth'.format(paths.KRB5_CONF)
+        modified = False
+
+        if not aug.match(path):
+            aug.set('{}/module'.format(path), 'ipakdb:kdb/ipadb.so')
+            aug.set('{}/enable_only'.format(path), 'ipakdb')
+            modified = True
+
+        if modified:
+            try:
+                aug.save()
+            except IOError:
+                for error_path in aug.match('/augeas//error'):
+                    root_logger.error('augeas: %s', aug.get(error_path))
+                raise
+
+            if krb.is_running():
+                krb.stop()
+            krb.start()
+    finally:
+        aug.close()
+
+
 def disable_httpd_system_trust(http):
     ca_certs = []
 
@@ -1846,6 +1878,7 @@ def upgrade_configuration():
                         CA_BUNDLE_PEM=paths.CA_BUNDLE_PEM)
     krb.add_anonymous_principal()
     setup_pkinit(krb)
+    enable_certauth(krb)
 
     if not ds_running:
         ds.stop(ds_serverid)