diff --git a/base/univention-ssl/univention-certificate b/base/univention-ssl/univention-certificate
index ceac5900e3..3e2342636a 100755
--- a/base/univention-ssl/univention-certificate
+++ b/base/univention-ssl/univention-certificate
@@ -63,7 +63,7 @@ die () {
 	exit 1
 }
 run_only () {
-	local role="$1" mode="$2"
+	local role="$1" mode="${2:-unlock}"
 	case "$role/$(ucr get server/role)" in
 	master/domaincontroller_master) ;;
 	backup/domaincontroller_master) ;;
@@ -76,9 +76,11 @@ run_only () {
 	esac
 	[ 0 -eq "$(id -u)" ] ||
 		die "Only user 'root' can use this"
-	exec 3<"$SSLBASE"
-	flock -n --"$mode" 3 ||
-		die "Failed to get $mode lock"
+	[ 0 -eq ${#FD} ] &&
+		exec {FD}<${SSLBASE}
+	for i in {1..99}; do jitter ${i} flock -n --${mode} ${FD} && return || continue; done
+	flock -n --${mode} ${FD} ||
+		die "Failed to get ${mode} lock"
 }
 
 command=
@@ -109,6 +111,8 @@ done
 
 . "${MAKE_CERTIFICATES_SH_INCLUDE:=/usr/share/univention-ssl/make-certificates.sh}"
 
+exec {FD}<${SSLBASE}
+
 case "$command" in
 new|renew) : "${name:?Missing argument '-name'}" ;;
 revoke|check|dump)  : "${name:="$(get_cert_name_from_id "$id")"}"
@@ -129,6 +133,7 @@ new () {
 			chgrp -R "DC Backup Hosts" "$SSLBASE/$name"
 			chmod -R g+rX "$SSLBASE/$name"
 		fi
+		run_only master
 }
 
 revoke () {
@@ -139,6 +144,7 @@ revoke () {
 		else
 			revoke_cert "$name"
 		fi
+		run_only master
 }
 
 renew () {
@@ -151,6 +157,7 @@ renew () {
 			chgrp -R "DC Backup Hosts" "$SSLBASE/$name"
 			chmod -R g+rX "$SSLBASE/$name"
 		fi
+		run_only master
 }
 
 check () {
@@ -170,6 +177,7 @@ check () {
 			*) echo "invalid" ;;
 			esac
 		done <<< "$id"
+		run_only backup
 		exit "$exitcode"
 }
 
@@ -177,18 +185,21 @@ list () {
 		run_only backup shared
 		echo "List all certificates"
 		list_cert_names
+		run_only backup
 }
 
 list_all () {
 		run_only backup shared
 		echo "List all certificates (including revoked and expired certificates)"
 		list_cert_names_all
+		run_only backup
 }
 
 update_expired () {
 		run_only master exclusive
 		echo "Updating db for expired certificates"
 		update_db
+		run_only master
 }
 
 dump () {
@@ -214,6 +225,7 @@ sign () {
 		chgrp -R "DC Backup Hosts" "$SSLBASE/$name"
 		chmod -R g+rX "$SSLBASE/$name"
 	fi
+	run_only master
 }
 
 "$command"