diff --git a/manifests/init.pp b/manifests/init.pp
index 1890e4b5..697ba601 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -462,7 +462,7 @@
 #
 # $server_puppetserver_experimental::       For Puppetserver 5, enable the /puppet/experimental route? Defaults to true
 #
-# $server_puppetserver_auth_template::      Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf 
+# $server_puppetserver_auth_template::      Template for generating /etc/puppetlabs/puppetserver/conf.d/auth.conf
 #
 # $server_puppetserver_trusted_agents::     Certificate names of puppet agents that are allowed to fetch *all* catalogs
 #                                           Defaults to [] and all agents are only allowed to fetch their own catalogs.
@@ -536,6 +536,8 @@
 #                                           invokes when on static_file_content requests.
 #                                           Defaults to undef
 #
+# $generate_ca_cert::                       Whether to generate CA certificate. Defaults to true. When true, the a ca cert is generated.
+#
 # === Usage:
 #
 # * Simple usage:
@@ -734,6 +736,7 @@
   Optional[Integer[1]] $server_max_open_files = $puppet::params::server_max_open_files,
   Optional[Stdlib::Absolutepath] $server_versioned_code_id = undef,
   Optional[Stdlib::Absolutepath] $server_versioned_code_content = undef,
+  Boolean $generate_ca_cert = $puppet::params::generate_ca_cert,
 ) inherits puppet::params {
   contain puppet::config
 
diff --git a/manifests/params.pp b/manifests/params.pp
index e45e2367..0d77efcc 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -34,6 +34,7 @@
   $server_compile_mode = undef
   $dns_alt_names       = []
   $use_srv_records     = false
+  $generate_ca_cert    = true
 
   if defined('$::domain') {
     $srv_domain = $facts['networking']['domain']
diff --git a/manifests/server/config.pp b/manifests/server/config.pp
index 1cfa8bc0..493c0a1f 100644
--- a/manifests/server/config.pp
+++ b/manifests/server/config.pp
@@ -157,22 +157,24 @@
 
   # Generate a new CA and host cert if our host cert doesn't exist
   if $puppet::server::ca {
-    if versioncmp($::puppetversion, '6.0') > 0 {
-      $creates = $puppet::server::ssl_ca_cert
-      $command = "${puppet::puppetserver_cmd} ca setup"
-    } else {
-      $creates = $puppet::server::ssl_cert
-      $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names"
-    }
+    if $puppet::generate_ca_cert {
+      if versioncmp($::puppetversion, '6.0') > 0 {
+        $creates = $puppet::server::ssl_ca_cert
+        $command = "${puppet::puppetserver_cmd} ca setup"
+      } else {
+        $creates = $puppet::server::ssl_cert
+        $command = "${puppet::puppet_cmd} cert --generate ${puppet::server::certname} --allow-dns-alt-names"
+      }
 
-    exec {'puppet_server_config-generate_ca_cert':
-      creates => $creates,
-      command => $command,
-      umask   => '0022',
-      require => [
-        Concat["${puppet::server::dir}/puppet.conf"],
-        Exec['puppet_server_config-create_ssl_dir'],
-      ],
+      exec {'puppet_server_config-generate_ca_cert':
+        creates => $creates,
+        command => $command,
+        umask   => '0022',
+        require => [
+          Concat["${puppet::server::dir}/puppet.conf"],
+          Exec['puppet_server_config-create_ssl_dir'],
+        ],
+      }
     }
   } elsif $puppet::server::ca_crl_sync {
     # If not a ca AND sync the crl from the ca master