diff --git a/roles/ipareplica/library/ipareplica_prepare.py b/roles/ipareplica/library/ipareplica_prepare.py
index a78629d2c..a875d6d5b 100644
--- a/roles/ipareplica/library/ipareplica_prepare.py
+++ b/roles/ipareplica/library/ipareplica_prepare.py
@@ -351,6 +351,12 @@ def main():
     options.server = ansible_module.params.get('server')
     options.skip_conncheck = ansible_module.params.get('skip_conncheck')
 
+    # random serial numbers are master_only, therefore setting to False
+    options.random_serial_numbers = False
+    # options._random_serial_numbers is generated by ca.install_check and
+    # later used by ca.install in the _setup_ca module.
+    options._random_serial_numbers = False
+
     # init #
 
     fstore = sysrestore.FileStore(paths.SYSRESTORE)
@@ -838,6 +844,7 @@ def main():
         _http_ca_cert=http_ca_cert,
         _pkinit_pkcs12_info=pkinit_pkcs12_info,
         _pkinit_ca_cert=pkinit_ca_cert,
+        _random_serial_numbers=options._random_serial_numbers,
         no_dnssec_validation=options.no_dnssec_validation,
         config_setup_ca=config.setup_ca,
         config_master_host_name=config.master_host_name,
diff --git a/roles/ipareplica/library/ipareplica_setup_ca.py b/roles/ipareplica/library/ipareplica_setup_ca.py
index 18aedd3d7..951bcbe22 100644
--- a/roles/ipareplica/library/ipareplica_setup_ca.py
+++ b/roles/ipareplica/library/ipareplica_setup_ca.py
@@ -85,6 +85,9 @@
   _subject_base:
     description: The installer _subject_base setting
     required: no
+  _random_serial_numbers:
+    description: The installer _random_serial_numbers setting
+    required: yes
   dirman_password:
     description: Directory Manager (master) password
     required: no
@@ -144,6 +147,7 @@ def main():
             _top_dir=dict(required=True),
             _ca_subject=dict(required=True),
             _subject_base=dict(required=True),
+            _random_serial_numbers=dict(required=True),
             dirman_password=dict(required=True, no_log=True),
             config_setup_ca=dict(required=True, type='bool'),
             config_master_host_name=dict(required=True),
@@ -190,6 +194,8 @@ def main():
     options._subject_base = ansible_module.params.get('_subject_base')
     if options._subject_base is not None:
         options._subject_base = DN(options._subject_base)
+    options._random_serial_numbers = ansible_module.params.get(
+        '_random_serial_numbers')
     dirman_password = ansible_module.params.get('dirman_password')
     config_setup_ca = ansible_module.params.get('config_setup_ca')
     config_master_host_name = ansible_module.params.get(
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 695242d1b..0a9d7e9da 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -557,6 +557,7 @@
       _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
       _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
       _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
+      _random_serial_numbers: "{{ result_ipareplica_prepare._random_serial_numbers }}"
       dirman_password: "{{ ipareplica_dirman_password }}"
       config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
       config_master_host_name:
diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index b9f1da2b9..f7590be80 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -213,6 +213,8 @@ def main():
 
             # additional
             setup_ca=dict(required=False, type='bool', default=False),
+            random_serial_numbers=dict(required=False, type='bool',
+                                       default=False),
             _hostname_overridden=dict(required=False, type='bool',
                                       default=False),
         ),
@@ -225,9 +227,11 @@ def main():
 
     # initialize return values for flake ############################
 
-    # These are set by ca.install_check
+    # These are set by ca.install_check and need to be passed to ca.install
+    # in the _setup_ca module and also some others.
     options._subject_base = None
     options._ca_subject = None
+    options._random_serial_numbers = None
 
     # set values ####################################################
 
@@ -277,6 +281,8 @@ def main():
     options.netbios_name = ansible_module.params.get('netbios_name')
     # additional
     options.setup_ca = ansible_module.params.get('setup_ca')
+    options.random_serial_numbers = ansible_module.params.get(
+        'random_serial_numbers')
     options._host_name_overridden = ansible_module.params.get(
         '_hostname_overridden')
     options.kasp_db_file = None
@@ -405,6 +411,7 @@ def main():
         _subject_base=options._subject_base,
         ca_subject=options.ca_subject,
         _ca_subject=options._ca_subject,
+        _random_serial_numbers=options._random_serial_numbers,
         # dns
         reverse_zones=options.reverse_zones,
         forward_policy=options.forward_policy,
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index fb185ac23..5863f4bcd 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -132,6 +132,9 @@
   ca_signing_algorithm:
     description: Signing algorithm of the IPA CA certificate
     required: yes
+  _random_serial_numbers:
+    description: The installer _random_serial_numbers setting
+    required: yes
   reverse_zones:
     description: The reverse DNS zones to use
     required: yes
@@ -204,6 +207,7 @@ def main():
             ca_subject=dict(required=False),
             _ca_subject=dict(required=False),
             ca_signing_algorithm=dict(required=False),
+            _random_serial_numbers=dict(required=True),
             # dns
             reverse_zones=dict(required=False, type='list', default=[]),
             no_reverse=dict(required=False, type='bool', default=False),
@@ -259,6 +263,8 @@ def main():
     options._ca_subject = ansible_module.params.get('_ca_subject')
     options.ca_signing_algorithm = ansible_module.params.get(
         'ca_signing_algorithm')
+    options._random_serial_numbers = ansible_module.params.get(
+        '_random_serial_numbers')
     # dns
     options.reverse_zones = ansible_module.params.get('reverse_zones')
     options.no_reverse = ansible_module.params.get('no_reverse')
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 8099a1582..8bd808d4e 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -191,6 +191,7 @@
       secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
       ### additional ###
       setup_ca: "{{ result_ipaserver_test.setup_ca }}"
+      random_serial_numbers: no
       _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
     register: result_ipaserver_prepare
 
@@ -298,6 +299,7 @@
       _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
       ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
                                 default(omit) }}"
+      _random_serial_numbers: "{{ result_ipaserver_prepare._random_serial_numbers }}"
       reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
       no_reverse: "{{ ipaserver_no_reverse }}"
       auto_forwarders: "{{ ipaserver_auto_forwarders }}"