diff --git a/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java b/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
index ed48f994be2..935d6714757 100644
--- a/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
+++ b/base/ca/src/main/java/com/netscape/ca/CertificateAuthority.java
@@ -42,7 +42,6 @@
 
 import javax.servlet.http.HttpServletRequest;
 
-import org.apache.commons.lang3.StringUtils;
 import org.dogtagpki.server.authentication.AuthToken;
 import org.dogtagpki.server.ca.CAConfig;
 import org.dogtagpki.server.ca.CAEngine;
@@ -63,13 +62,13 @@
 import org.mozilla.jss.crypto.KeyPairAlgorithm;
 import org.mozilla.jss.crypto.KeyPairGenerator;
 import org.mozilla.jss.crypto.NoSuchItemOnTokenException;
+import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.crypto.TokenException;
 import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.netscape.security.pkcs.PKCS10;
 import org.mozilla.jss.netscape.security.util.DerOutputStream;
 import org.mozilla.jss.netscape.security.util.DerValue;
-import org.mozilla.jss.netscape.security.util.Utils;
 import org.mozilla.jss.netscape.security.x509.AlgorithmId;
 import org.mozilla.jss.netscape.security.x509.CertificateChain;
 import org.mozilla.jss.netscape.security.x509.CertificateIssuerName;
@@ -1037,19 +1036,28 @@ public X509CertImpl getCACert() throws EBaseException {
             return caCertImpl;
         }
 
-        String cert = mConfig.getString("signing.cert");
-        logger.debug("CertificateAuthority: CA signing cert: " + cert);
+        String certName = mConfig.getString("signing.certnickname");
+        String tokenName = mConfig.getString("signing.tokenname");
 
-        if (StringUtils.isEmpty(cert)) {
-            logger.error("CertificateAuthority: Missing CA signing certificate");
-            throw new EBaseException("Missing CA signing certificate");
+        if(!CryptoUtil.isInternalToken(tokenName)) {
+            certName = tokenName + ":" + certName;
         }
 
-        byte[] bytes = Utils.base64decode(cert);
-        logger.debug("CertificateAuthority: size: " + bytes.length + " bytes");
+        logger.debug("CertificateAuthority: Getting CA signing cert: " + certName);
 
+        CryptoManager manager;
+        X509Certificate caCert;
         try {
-            return new X509CertImpl(bytes);
+            manager= CryptoManager.getInstance();
+            caCert = manager.findCertByNickname(certName);
+        } catch (ObjectNotFoundException | NotInitializedException | TokenException e) {
+            logger.error("CertificateAuthority: Unable to find CA signing certificate: " + e.getMessage(), e);
+            throw new EBaseException("Unable to find CA signing certificate: " + e.getMessage(), e);
+        }
+
+        try {
+
+            return new X509CertImpl(caCert.getEncoded());
 
         } catch (CertificateException e) {
             logger.error("Unable to parse CA signing cert: " + e.getMessage(), e);
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
index a3e5a50d439..1697d04660c 100644
--- a/base/server/python/pki/server/deployment/__init__.py
+++ b/base/server/python/pki/server/deployment/__init__.py
@@ -2169,7 +2169,7 @@ def import_system_certs(self, nssdb, subsystem):
 
         self.import_cert_chain(nssdb)
 
-    def update_system_cert(self, nssdb, subsystem, tag):
+    def update_system_cert(self, subsystem, tag):
 
         logger.info('Updating %s cert', tag)
 
@@ -2182,15 +2182,6 @@ def update_system_cert(self, nssdb, subsystem, tag):
             tokenname = pki.nssdb.INTERNAL_TOKEN_NAME
         subsystem.config['%s.%s.tokenname' % (subsystem.name, tag)] = tokenname
 
-        cert_data = nssdb.get_cert(
-            nickname=nickname,
-            token=self.mdict['pki_%s_token' % cert_id],
-            output_format='base64',
-            output_text=True,
-        )
-
-        subsystem.config['%s.%s.cert' % (subsystem.name, tag)] = cert_data
-
     def update_admin_cert(self, subsystem):
 
         logger.info('Updating admin certificate')
@@ -2212,12 +2203,12 @@ def update_admin_cert(self, subsystem):
         finally:
             client_nssdb.close()
 
-    def update_system_certs(self, nssdb, subsystem):
+    def update_system_certs(self, subsystem):
 
         logger.info('Updating system certs')
 
         if subsystem.name == 'ca':
-            self.update_system_cert(nssdb, subsystem, 'signing')
+            self.update_system_cert(subsystem, 'signing')
 
             nickname = self.mdict['pki_ca_signing_nickname']
             subsystem.config['ca.signing.cacertnickname'] = nickname
@@ -2225,27 +2216,27 @@ def update_system_certs(self, nssdb, subsystem):
             subsystem.config['ca.signing.defaultSigningAlgorithm'] = \
                 self.mdict['pki_ca_signing_signing_algorithm']
 
-            self.update_system_cert(nssdb, subsystem, 'ocsp_signing')
+            self.update_system_cert(subsystem, 'ocsp_signing')
 
             subsystem.config['ca.ocsp_signing.defaultSigningAlgorithm'] = \
                 self.mdict['pki_ocsp_signing_signing_algorithm']
 
         if subsystem.name == 'kra':
-            self.update_system_cert(nssdb, subsystem, 'storage')
-            self.update_system_cert(nssdb, subsystem, 'transport')
+            self.update_system_cert(subsystem, 'storage')
+            self.update_system_cert(subsystem, 'transport')
             self.update_admin_cert(subsystem)
 
         if subsystem.name == 'ocsp':
-            self.update_system_cert(nssdb, subsystem, 'signing')
+            self.update_system_cert(subsystem, 'signing')
 
             subsystem.config['ocsp.signing.defaultSigningAlgorithm'] = \
                 self.mdict['pki_ocsp_signing_signing_algorithm']
 
             self.update_admin_cert(subsystem)
 
-        self.update_system_cert(nssdb, subsystem, 'sslserver')
-        self.update_system_cert(nssdb, subsystem, 'subsystem')
-        self.update_system_cert(nssdb, subsystem, 'audit_signing')
+        self.update_system_cert(subsystem, 'sslserver')
+        self.update_system_cert(subsystem, 'subsystem')
+        self.update_system_cert(subsystem, 'audit_signing')
 
         subsystem.config['%s.audit_signing.defaultSigningAlgorithm' % subsystem.name] = \
             self.mdict['pki_audit_signing_signing_algorithm']
@@ -3973,8 +3964,9 @@ def add_kra_connector(self, subsystem, ca_url):
         kra_url = 'https://%s:%s/kra/agent/kra/connector' % (hostname, securePort)
 
         subsystem_cert = subsystem.get_subsystem_cert('subsystem').get('data')
-        transport_cert = subsystem.config.get('kra.transport.cert')
-        transport_nickname = subsystem.config.get('kra.cert.transport.nickname')
+        transport_cert_info = subsystem.get_subsystem_cert('transport')
+        transport_cert = transport_cert_info.get('data')
+        transport_nickname = transport_cert_info.get('nickname')
 
         tmpdir = tempfile.mkdtemp()
         try:
diff --git a/base/server/python/pki/server/deployment/scriptlets/configuration.py b/base/server/python/pki/server/deployment/scriptlets/configuration.py
index b733db5a0bd..d69f1ed088f 100644
--- a/base/server/python/pki/server/deployment/scriptlets/configuration.py
+++ b/base/server/python/pki/server/deployment/scriptlets/configuration.py
@@ -66,7 +66,7 @@ def spawn(self, deployer):
         try:
             deployer.import_system_cert_requests(subsystem)
             deployer.import_system_certs(nssdb, subsystem)
-            deployer.update_system_certs(nssdb, subsystem)
+            deployer.update_system_certs(subsystem)
             subsystem.save()
 
             deployer.update_sslserver_cert_nickname(subsystem)
@@ -79,17 +79,9 @@ def spawn(self, deployer):
                     if s.name == subsystem.name:
                         continue
 
-                    # import cert/request data from the existing subsystem
+                    # import request data from the existing subsystem
                     # into the new subsystem being installed
 
-                    logger.info('Importing sslserver cert data from %s', s.type)
-                    subsystem.config['%s.sslserver.cert' % subsystem.name] = \
-                        s.config['%s.sslserver.cert' % s.name]
-
-                    logger.info('Importing subsystem cert data from %s', s.type)
-                    subsystem.config['%s.subsystem.cert' % subsystem.name] = \
-                        s.config['%s.subsystem.cert' % s.name]
-
                     logger.info('Importing sslserver request data from %s', s.type)
                     subsystem.config['%s.sslserver.certreq' % subsystem.name] = \
                         s.config['%s.sslserver.certreq' % s.name]
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
index d2ff3af4cc6..c29ce9f6a54 100644
--- a/base/server/python/pki/server/subsystem.py
+++ b/base/server/python/pki/server/subsystem.py
@@ -330,7 +330,6 @@ def update_system_cert(self, cert):
         cert_id = cert['id']
         self.config['%s.%s.nickname' % (self.name, cert_id)] = cert.get('nickname')
         self.config['%s.%s.tokenname' % (self.name, cert_id)] = cert.get('token')
-        self.config['%s.%s.cert' % (self.name, cert_id)] = cert.get('data')
         self.config['%s.%s.certreq' % (self.name, cert_id)] = cert.get('request')
 
     def validate_system_cert(self, tag):