diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
index 5b671988d..56ed6f794 100644
--- a/ipapython/secrets/client.py
+++ b/ipapython/secrets/client.py
@@ -41,16 +41,22 @@ class CustodiaClient(object):
 
         return iSecStore(config)
 
-    def __init__(self, client, server, realm, ldap_uri=None, auth_type=None):
-        self.client = client
-        self.creds = None
+    def __init__(
+            self, client_service, keyfile, keytab, server, realm,
+            ldap_uri=None, auth_type=None):
+        self.client_service = client_service
+        self.keytab = keytab
+
+        # Init creds immediately to make sure they are valid.  Creds
+        # can also be re-inited by _auth_header to avoid expiry.
+        #
+        self.creds = self.init_creds()
 
         self.service_name = gssapi.Name('HTTP@%s' % (server,),
                                         gssapi.NameType.hostbased_service)
         self.server = server
 
-        keyfile = os.path.join(paths.IPA_CUSTODIA_CONF_DIR, 'server.keys')
-        self.ikk = IPAKEMKeys({'server_keys': keyfile})
+        self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri})
 
         self.kemcli = KEMClient(self._server_keys(server, realm),
                                 self._client_keys())
@@ -61,9 +67,9 @@ class CustodiaClient(object):
         requests.packages.urllib3.disable_warnings()
 
     def init_creds(self):
-        name = gssapi.Name('host@%s' % (self.client,),
+        name = gssapi.Name(self.client_service,
                            gssapi.NameType.hostbased_service)
-        store = {'client_keytab': paths.KRB5_KEYTAB,
+        store = {'client_keytab': self.keytab,
                  'ccache': 'MEMORY:Custodia_%s' % b64encode(os.urandom(8))}
         return gssapi.Credentials(name=name, store=store, usage='initiate')
 
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index d5c5bf738..fd30430bb 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -12,6 +12,7 @@ from ipaserver.install import ldapupdate
 from ipaserver.install import sysupgrade
 from base64 import b64encode, b64decode
 from jwcrypto.common import json_decode
+import functools
 import shutil
 import os
 import tempfile
@@ -28,6 +29,13 @@ class CustodiaInstance(SimpleServiceInstance):
         self.fqdn = host_name
         self.realm = realm
         self.ca_is_configured = ca_is_configured
+        self.__CustodiaClient = functools.partial(
+            CustodiaClient,
+            client_service='host@%s' % self.fqdn,
+            keyfile=self.server_keys,
+            keytab=paths.KRB5_KEYTAB,
+            realm=realm,
+        )
 
     def __config_file(self):
         template_file = os.path.basename(self.config_file) + '.template'
@@ -94,11 +102,11 @@ class CustodiaInstance(SimpleServiceInstance):
         updater.update([os.path.join(paths.UPDATES_DIR, '73-custodia.update')])
 
     def __import_ra_key(self):
-        cli = CustodiaClient(self.fqdn, self.master_host_name, self.realm)
+        cli = self.__CustodiaClient(server=self.master_host_name)
         cli.fetch_key('ra/ipaCert')
 
     def import_dm_password(self, master_host_name):
-        cli = CustodiaClient(self.fqdn, master_host_name, self.realm)
+        cli = self.__CustodiaClient(server=master_host_name)
         cli.fetch_key('dm/DMHash')
 
     def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
@@ -108,7 +116,7 @@ class CustodiaInstance(SimpleServiceInstance):
         prefix = data['prefix']
         certlist = data['list']
 
-        cli = CustodiaClient(self.fqdn, ca_host, self.realm)
+        cli = self.__CustodiaClient(server=ca_host)
 
         # Temporary nssdb
         tmpnssdir = tempfile.mkdtemp(dir=paths.TMP)