diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
index cb111539..964aa3ea 100644
--- a/manifests/candlepin.pp
+++ b/manifests/candlepin.pp
@@ -8,8 +8,10 @@
   Stdlib::Absolutepath $ca_cert = $certs::candlepin_ca_cert,
   Stdlib::Absolutepath $ca_key = $certs::candlepin_ca_key,
   Stdlib::Absolutepath $pki_dir = $certs::pki_dir,
+  Optional[String] $keystore_password = undef,
   Stdlib::Absolutepath $keystore = $certs::candlepin_keystore,
   String $keystore_password_file = 'keystore_password-file',
+  Optional[String] $truststore_password = undef,
   Stdlib::Absolutepath $truststore = $certs::candlepin_truststore,
   String $truststore_password_file = 'truststore_password-file',
   String[2,2] $country = $certs::country,
@@ -68,8 +70,14 @@
     build_dir     => $certs::ssl_build_dir,
   }
 
-  $keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32))
-  $truststore_password = extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32))
+  # Generate and cache the password on the master once
+  # In multi-puppetmaster setups, the user should specify their own
+  $final_keystore_password = pick(
+    $keystore_password, extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32))
+  )
+  $final_truststore_password = pick(
+    $truststore_password, extlib::cache_data('foreman_cache_data', $truststore_password_file, extlib::random_password(32))
+  )
   $keystore_password_path = "${pki_dir}/${keystore_password_file}"
   $truststore_password_path = "${pki_dir}/${truststore_password_file}"
   $client_key = $certs::foreman::client_key
@@ -110,7 +118,7 @@
 
     file { $keystore_password_path:
       ensure    => file,
-      content   => $keystore_password,
+      content   => $final_keystore_password,
       owner     => 'root',
       group     => $group,
       mode      => '0440',
@@ -135,7 +143,7 @@
 
     file { $truststore_password_path:
       ensure    => file,
-      content   => $truststore_password,
+      content   => $final_truststore_password,
       owner     => 'root',
       group     => $group,
       mode      => '0440',
diff --git a/manifests/init.pp b/manifests/init.pp
index 372dff1f..19f24be9 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -39,6 +39,8 @@
 # $deploy::               Deploy the certs on the configured system. False means
 #                         we want to apply it to a different system
 #
+# $ca_key_password::      Optional string to use for the CA key password
+#
 # $ca_common_name::       Common name for the generated CA certificate
 #
 # $country::              Country attribute for managed certificates
@@ -73,6 +75,7 @@
   Boolean $generate = true,
   Boolean $regenerate = false,
   Boolean $deploy = true,
+  String[10] $ca_key_password = $certs::params::ca_key_password,
   String $ca_common_name = $certs::params::ca_common_name,
   String[2,2] $country = 'US',
   String $state = 'North Carolina',
@@ -103,7 +106,6 @@
   $ca_key = "${pki_dir}/private/${default_ca_name}.key"
   $ca_cert = "${pki_dir}/certs/${default_ca_name}.crt"
   $ca_cert_stripped = "${pki_dir}/certs/${default_ca_name}-stripped.crt"
-  $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24))
   $ca_key_password_file = "${ssl_build_dir}/${default_ca_name}.pwd"
 
   $katello_server_ca_cert = "${pki_dir}/certs/${server_ca_name}.crt"
diff --git a/manifests/params.pp b/manifests/params.pp
index 62c29d7f..98d67dc8 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -23,6 +23,11 @@
   $qpid_client_cert = "${pulp_pki_dir}/qpid/client.crt"
   $qpid_client_ca_cert = "${pulp_pki_dir}/qpid/ca.crt"
 
+  # Generate and cache the password on the master once
+  # In multi-puppetmaster setups, the user should specify their own
+  $ca_key_password = extlib::cache_data('foreman_cache_data', 'ca_key_password', extlib::random_password(24))
+  $nss_db_password = extlib::cache_data('foreman_cache_data', 'certs-nss-db-password', extlib::random_password(32))
+
   $qpid_router_server_cert = "${pki_dir}/qpid_router_server.crt"
   $qpid_router_client_cert = "${pki_dir}/qpid_router_client.crt"
   $qpid_router_server_key  = "${pki_dir}/qpid_router_server.key"
diff --git a/manifests/ssltools/nssdb.pp b/manifests/ssltools/nssdb.pp
index 66b10db1..8169f691 100644
--- a/manifests/ssltools/nssdb.pp
+++ b/manifests/ssltools/nssdb.pp
@@ -2,7 +2,7 @@
 class certs::ssltools::nssdb (
   Stdlib::Absolutepath $nss_db_dir = "${certs::pki_dir}/nssdb",
   Stdlib::Absolutepath $nss_db_password_file = "${certs::pki_dir}/nss_db_password-file",
-  String[10] $nss_db_password = extlib::cache_data('foreman_cache_data', 'certs-nss-db-password', extlib::random_password(32)),
+  String[10] $nss_db_password = $certs::params::nss_db_password,
   String[1] $group = 'qpidd',
 ) {
   ensure_packages(['nss-tools'])