diff --git a/0001-Use-TLS-for-CA-replication.patch b/0001-Use-TLS-for-CA-replication.patch
new file mode 100644
index 0000000..f0337f3
--- /dev/null
+++ b/0001-Use-TLS-for-CA-replication.patch
@@ -0,0 +1,26 @@
+From 98fde54c170eb7974afe80403d54747563c8e3be Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 12 Oct 2012 14:35:43 -0400
+Subject: [PATCH] Use TLS for CA replication
+
+https://fedorahosted.org/freeipa/ticket/3162
+---
+ ipaserver/install/cainstance.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index aabbba3..f2ac840 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -640,7 +640,7 @@ class CAInstance(service.Service):
+                 "pki_security_domain_hostname": self.master_host,
+                 "pki_security_domain_https_port": "443",
+                 "pki_security_domain_password": self.admin_password,
+-                "pki_clone_replication_security": "SSL",
++                "pki_clone_replication_security": "TLS",
+                 "pki_clone_uri": \
+                     "https://%s" % ipautil.format_netloc(self.master_host, 443)
+             }
+-- 
+1.7.11.4
+
diff --git a/freeipa.spec b/freeipa.spec
index 4278b60..7bc6d68 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -15,7 +15,7 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 
 Name:           freeipa
 Version:        3.0.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -24,6 +24,8 @@ URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
+Patch1:         0001-Use-TLS-for-CA-replication.patch
+
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.2.11.14
 BuildRequires:  svrcore-devel
@@ -741,6 +743,10 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
 
+%changelog
+* Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-2
+- Configure CA replication to use TLS instead of SSL
+
 * Fri Oct 12 2012 Rob Crittenden <rcritten@redhat.com> - 3.0.0-1
 - Updated to upstream 3.0.0 GA
 - Set minimum for samba to 4.0.0-153.