diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 6c89e7780..f1410e5ae 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -169,6 +169,19 @@ class NSSDatabase(object):
                     new_mode = filemode
                 os.chmod(path, new_mode)
 
+    def restore(self):
+        for filename in NSS_FILES:
+            path = os.path.join(self.secdir, filename)
+            backup_path = path + '.orig'
+            save_path = path + '.ipasave'
+            try:
+                if os.path.exists(path):
+                    os.rename(path, save_path)
+                if os.path.exists(backup_path):
+                    os.rename(backup_path, path)
+            except OSError as e:
+                root_logger.debug(e)
+
     def list_certs(self):
         """Return nicknames and cert flags for all certs in the database
 
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 9f340b867..0ca971358 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -234,6 +234,9 @@ class CertDB(object):
                              backup=True)
         self.set_perms(self.passwd_fname, write=True)
 
+    def restore(self):
+        self.nssdb.restore()
+
     def list_certs(self):
         """
         Return a tuple of tuples containing (nickname, trust)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index ca3bcc87e..f6f0b0c4f 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -555,6 +555,9 @@ class HTTPInstance(service.Service):
                 ca_iface.Set('org.fedorahosted.certmonger.ca',
                              'external-helper', helper)
 
+        db = certs.CertDB(self.realm, paths.HTTPD_ALIAS_DIR)
+        db.restore()
+
         for f in [paths.HTTPD_IPA_CONF, paths.HTTPD_SSL_CONF, paths.HTTPD_NSS_CONF]:
             try:
                 self.fstore.restore_file(f)