diff --git a/extraconfig/services/ipaclient.yaml b/extraconfig/services/ipaclient.yaml
index 211928a7ff..d8dbedaec1 100644
--- a/extraconfig/services/ipaclient.yaml
+++ b/extraconfig/services/ipaclient.yaml
@@ -177,7 +177,18 @@ outputs:
 
                 ipa-client-install $OPTS
 
-          - name: run enrollment script
-            shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
-            args:
-              creates: /etc/ipa/default.conf
+          - name: determine if client is already enrolled
+            stat:
+              path: /etc/ipa/default.conf
+            register: ipa_default_conf
+
+          - block:
+            - name: run enrollment script
+              shell: /root/setup-ipa-client.sh >> /var/log/setup-ipa-client-ansible.log 2>&1
+
+            - name: restart certmonger service
+              systemd:
+                state: restarted
+                daemon_reload: true
+                name: certmonger.service
+            when: ipa_default_conf.stat.exists == False
diff --git a/releasenotes/notes/restart-certmonger-244416f537859bac.yaml b/releasenotes/notes/restart-certmonger-244416f537859bac.yaml
new file mode 100644
index 0000000000..482df0e2c1
--- /dev/null
+++ b/releasenotes/notes/restart-certmonger-244416f537859bac.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - Restart certmnonger after registering system with IPA.  This
+    prevents cert requests not completely correctly when doing a
+    brownfield update.