diff --git a/.github/workflows/ca-clone-replicated-ds-test.yml b/.github/workflows/ca-clone-replicated-ds-test.yml
index 016c3594a2c..be7b57b40a0 100644
--- a/.github/workflows/ca-clone-replicated-ds-test.yml
+++ b/.github/workflows/ca-clone-replicated-ds-test.yml
@@ -69,6 +69,15 @@ jobs:
               --pkcs12-password Secret.123
           docker exec primary pki -n caadmin ca-user-show caadmin
 
+      - name: Export system certs and keys from primary CA
+        run: |
+          docker exec primary pki-server ca-clone-prepare \
+              --pkcs12-file $SHARED/ca-certs.p12 \
+              --pkcs12-password Secret.123
+
+          docker exec primary pki-server cert-export ca_signing \
+              --cert-file $SHARED/ca_signing.crt
+
       - name: Set up secondary DS container
         run: |
           tests/bin/ds-container-create.sh secondaryds
@@ -80,6 +89,28 @@ jobs:
       - name: Connect secondary DS container to network
         run: docker network connect example secondaryds --alias secondaryds.example.com
 
+      - name: Set up secondary PKI container
+        run: |
+          tests/bin/runner-init.sh secondary
+        env:
+          HOSTNAME: secondary.example.com
+
+      - name: Connect secondary PKI container to network
+        run: docker network connect example secondary --alias secondary.example.com
+
+      - name: Create secondary PKI server
+        run: |
+          docker exec secondary pki-server create
+          docker exec secondary pki-server nss-create --no-password
+
+      - name: Import system certs and keys into secondary CA
+        run: |
+          docker exec secondary pki \
+              -d /etc/pki/pki-tomcat/alias \
+              pkcs12-import \
+              --pkcs12 $SHARED/ca-certs.p12 \
+              --password Secret.123
+
       # https://github.com/dogtagpki/389-ds-base/wiki/Configuring-DS-Replication-with-DS-Tools
       - name: Preparing DS backend
         run: |
@@ -218,24 +249,6 @@ jobs:
 
           diff primaryds.dn secondaryds.dn
 
-      - name: Export certs and keys from primary CA
-        run: |
-          docker exec primary pki-server ca-clone-prepare \
-              --pkcs12-file $SHARED/ca-certs.p12 \
-              --pkcs12-password Secret.123
-
-          docker exec primary pki-server cert-export ca_signing \
-              --cert-file $SHARED/ca_signing.crt
-
-      - name: Set up secondary PKI container
-        run: |
-          tests/bin/runner-init.sh secondary
-        env:
-          HOSTNAME: secondary.example.com
-
-      - name: Connect secondary PKI container to network
-        run: docker network connect example secondary --alias secondary.example.com
-
       # https://github.com/dogtagpki/pki/wiki/Installing-CA-Clone-with-Existing-DS
       - name: Install secondary CA
         run: |
@@ -246,8 +259,6 @@ jobs:
               -f /usr/share/pki/server/examples/installation/ca-clone.cfg \
               -s CA \
               -D pki_cert_chain_path=$SHARED/ca_signing.crt \
-              -D pki_clone_pkcs12_path=$SHARED/ca-certs.p12 \
-              -D pki_clone_pkcs12_password=Secret.123 \
               -D pki_ds_url=ldap://secondaryds.example.com:3389 \
               -D pki_ds_setup=False \
               -v
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 2fbf13831a4..c6ea03c56f5 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -464,16 +464,6 @@ def verify_predefined_configuration_file_data(self):
             self.confirm_data_exists("pki_https_port")
             self.confirm_data_exists("pki_tomcat_server_port")
 
-            # Check clone parameters for non-HSM clone
-            if not config.str2bool(self.mdict['pki_hsm_enable']):
-
-                # If system certificates are already provided via
-                # pki_server_pkcs12, there's no need to provide
-                # pki_clone_pkcs12.
-                if not self.mdict['pki_server_pkcs12_path']:
-                    self.confirm_data_exists("pki_clone_pkcs12_path")
-                    self.confirm_file_exists("pki_clone_pkcs12_path")
-
             self.confirm_data_exists("pki_clone_replication_security")
 
         elif self.external:
diff --git a/base/server/python/pki/server/deployment/scriptlets/initialization.py b/base/server/python/pki/server/deployment/scriptlets/initialization.py
index 107553f8b3f..a67f6e2886a 100644
--- a/base/server/python/pki/server/deployment/scriptlets/initialization.py
+++ b/base/server/python/pki/server/deployment/scriptlets/initialization.py
@@ -73,19 +73,11 @@ def verify_sensitive_data(self, deployer):
 
         if configuration_file.clone:
 
-            # Verify existence of PKCS #12 Password (ONLY for non-HSM Clones)
-            if not config.str2bool(deployer.mdict['pki_hsm_enable']):
-
-                # If system certificates are already provided via
-                # pki_server_pkcs12, there's no need to provide
-                # pki_clone_pkcs12.
-                if not deployer.mdict['pki_server_pkcs12_path']:
-                    configuration_file.confirm_data_exists('pki_clone_pkcs12_password')
-
             # Verify absence of all PKCS #12 clone parameters for HSMs
-            elif (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or
-                    ('pki_clone_pkcs12_password' in deployer.mdict and
-                     len(deployer.mdict['pki_clone_pkcs12_password']))):
+            if config.str2bool(deployer.mdict['pki_hsm_enable']) and \
+                    (os.path.exists(deployer.mdict['pki_clone_pkcs12_path']) or
+                     ('pki_clone_pkcs12_password' in deployer.mdict and
+                      len(deployer.mdict['pki_clone_pkcs12_password']))):
                 logger.error(log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)
                 raise Exception(
                     log.PKIHELPER_HSM_CLONES_MUST_SHARE_HSM_MASTER_PRIVATE_KEYS)