diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
index 619be83..9be1b67 100644
--- a/ipaserver/plugins/cert.py
+++ b/ipaserver/plugins/cert.py
@@ -55,7 +55,7 @@ from ipapython.dn import DN
 from ipapython.ipautil import datetime_from_utctimestamp
 from ipaserver.plugins.service import normalize_principal, validate_realm
 from ipaserver.masters import (
-    ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled
+    ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled
 )
 
 try:
@@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id):
 def ca_kdc_check(api_instance, hostname):
     master_dn = api_instance.Object.server.get_dn(unicode(hostname))
     kdc_dn = DN(('cn', 'KDC'), master_dn)
-    wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE}
+    wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE}
     try:
         kdc_entry = api_instance.Backend.ldap2.get_entry(
             kdc_dn, ['ipaConfigString'])
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index b71f2d5..7ef44c5 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -26,6 +26,7 @@ from ipalib.constants import (
 )
 from ipaplatform.paths import paths
 from ipapython import certdb
+from ipatests.test_integration.test_cert import get_certmonger_fs_id
 from ipatests.test_integration.test_dns_locations import (
     resolve_records_from_server, IPA_DEFAULT_MASTER_SRV_REC
 )
@@ -1241,6 +1242,23 @@ class TestHiddenReplicaPromotion(IntegrationTest):
             'ipa-crlgen-manage', 'status'])
         assert "CRL generation: enabled" in result.stdout_text
 
+    def test_hidden_replica_renew_pkinit_cert(self):
+        """Renew the PKINIT cert on a hidden replica.
+
+        Test for https://pagure.io/freeipa/issue/9611
+        """
+        # Get Request ID
+        cmd = ['getcert', 'list', '-f', paths.KDC_CERT]
+        result = self.replicas[0].run_command(cmd)
+        req_id = get_certmonger_fs_id(result.stdout_text)
+
+        self.replicas[0].run_command([
+            'getcert', 'resubmit', '-f', paths.KDC_CERT
+        ])
+        tasks.wait_for_certmonger_status(
+            self.replicas[0], ('MONITORING'), req_id, timeout=600
+        )
+
 
 class TestHiddenReplicaKRA(IntegrationTest):
     """Test KRA & hidden replica features.