diff --git a/lib/cli/pkiutility.cpp b/lib/cli/pkiutility.cpp
index aeb385f9f..3dcae4cb2 100644
--- a/lib/cli/pkiutility.cpp
+++ b/lib/cli/pkiutility.cpp
@@ -258,10 +258,41 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const
 
 	Dictionary::Ptr result = response->Get("result");
 
+	if (result->Contains("ca")) {
+		try {
+			StringToCertificate(result->Get("ca"));
+		} catch (const std::exception& ex) {
+			Log(LogCritical, "cli")
+			    << "Could not write CA file: " << DiagnosticInformation(ex, false);
+			return 1;
+		}
+
+		Log(LogInformation, "cli")
+		    << "Writing CA certificate to file '" << cafile << "'.";
+
+		std::ofstream fpca;
+		fpca.open(cafile.CStr());
+		fpca << result->Get("ca");
+		fpca.close();
+
+		if (fpca.fail()) {
+			Log(LogCritical, "cli")
+			    << "Could not open CA certificate file '" << cafile << "' for writing.";
+			return 1;
+		}
+	}
+
 	if (result->Contains("error")) {
 		LogSeverity severity;
 
-		if (result->Get("status_code") == 1)
+		Value vstatus;
+
+		if (!result->Get("status_code", &vstatus))
+			vstatus = 1;
+
+		int status = vstatus;
+
+		if (status == 1)
 			severity = LogCritical;
 		else {
 			severity = LogInformation;
@@ -271,7 +302,7 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const
 		Log(severity, "cli")
 		    << "!!! " << result->Get("error");
 
-		if (result->Get("status_code") == 1)
+		if (status == 1)
 			return 1;
 		else {
 			Log(severity, "cli", "!!!!!!");
@@ -287,13 +318,8 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const
 		return 1;
 	}
 
-	try {
-		StringToCertificate(result->Get("ca"));
-	} catch (const std::exception& ex) {
-		Log(LogCritical, "cli")
-		    << "Could not write CA file: " << DiagnosticInformation(ex, false);
-		return 1;
-	}
+	Log(LogInformation, "cli")
+	    << "Writing signed certificate to file '" << certfile << "'.";
 
 	std::ofstream fpcert;
 	fpcert.open(certfile.CStr());
@@ -306,23 +332,6 @@ int PkiUtility::RequestCertificate(const String& host, const String& port, const
 		return 1;
 	}
 
-	Log(LogInformation, "cli")
-	    << "Writing signed certificate to file '" << certfile << "'.";
-
-	std::ofstream fpca;
-	fpca.open(cafile.CStr());
-	fpca << result->Get("ca");
-	fpca.close();
-
-	if (fpca.fail()) {
-		Log(LogCritical, "cli")
-		    << "Could not open CA certificate file '" << cafile << "' for writing.";
-		return 1;
-	}
-
-	Log(LogInformation, "cli")
-	    << "Writing CA certificate to file '" << cafile << "'.";
-
 	return 0;
 }
 
diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp
index fd348edd9..bd6630dce 100644
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@@ -478,6 +478,15 @@ void ApiListener::SyncClient(const JsonRpcConnection::Ptr& aclient, const Endpoi
 			endpoint->SetSyncing(true);
 		}
 
+		Zone::Ptr myZone = Zone::GetLocalZone();
+
+		if (myZone->GetParent() == eZone) {
+			Log(LogInformation, "ApiListener")
+			    << "Requesting new certificate for this Icinga instance from endpoint '" << endpoint->GetName() << "'.";
+
+			SendCertificateRequest(aclient);
+		}
+
 		/* Make sure that the config updates are synced
 		 * before the logs are replayed.
 		 */
@@ -530,6 +539,19 @@ void ApiListener::SyncClient(const JsonRpcConnection::Ptr& aclient, const Endpoi
 	    << "Finished syncing endpoint '" << endpoint->GetName() << "' in zone '" << eZone->GetName() << "'.";
 }
 
+void ApiListener::SendCertificateRequest(const JsonRpcConnection::Ptr& aclient)
+{
+	Dictionary::Ptr message = new Dictionary();
+	message->Set("jsonrpc", "2.0");
+	message->Set("method", "pki::RequestCertificate");
+
+	Dictionary::Ptr params = new Dictionary();
+
+	message->Set("params", params);
+
+	JsonRpc::SendMessage(aclient->GetStream(), message);
+}
+
 void ApiListener::ApiTimerHandler(void)
 {
 	double now = Utility::GetTime();
diff --git a/lib/remote/apilistener.hpp b/lib/remote/apilistener.hpp
index 8e12f0dca..c16ed46c5 100644
--- a/lib/remote/apilistener.hpp
+++ b/lib/remote/apilistener.hpp
@@ -158,6 +158,7 @@ private:
 
 	static void ConfigGlobHandler(ConfigDirInformation& config, const String& path, const String& file);
 	void SendConfigUpdate(const JsonRpcConnection::Ptr& aclient);
+	void SendCertificateRequest(const JsonRpcConnection::Ptr& aclient);
 
 	/* configsync */
 	void UpdateConfigObject(const ConfigObject::Ptr& object, const MessageOrigin::Ptr& origin,
diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 14470806e..a0df4fa0b 100644
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -94,10 +94,11 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
 	if (!origin->FromClient->IsAuthenticated()) {
 		String salt = listener->GetTicketSalt();
 
-		if (salt.IsEmpty())
+		String ticket = params->Get("ticket");
+
+		if (salt.IsEmpty() || ticket.IsEmpty())
 			goto delayed_request;
 
-		String ticket = params->Get("ticket");
 		String realTicket = PBKDF2_SHA1(origin->FromClient->GetIdentity(), salt, 50000);
 
 		if (ticket != realTicket) {