diff --git a/warden3/contrib/warden_ra/README b/warden3/contrib/warden_ra/README
index 9f6789f575960bd9bdc4661abc3c8039dd9c227c..51932cd76133f916179df940677ea29dc737e047 100644
--- a/warden3/contrib/warden_ra/README
+++ b/warden3/contrib/warden_ra/README
@@ -57,7 +57,7 @@ to the new client administrator along with other setup information.
 The client administrator runs the application script with application
 password:
 
-    warden_apply.sh org.example.warden.client P4SSW0RD
+    warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client P4SSW0RD
 
 The script creates new X509 key, CSR certificate request and makes call to
 the Warden RA web service, where it obtains the new complete certificate.
@@ -69,7 +69,7 @@ Prolonging existing client credentials
 The client administrator runs the application script with his existing valid
 Warden credentials, which he needs to prolong:
 
-    warden_apply.sh org.example.warden.client cert.pem key.pem
+    warden_apply.sh https://warden.example.org/warden-ra/ org.example.warden.client cert.pem key.pem
 
 The script creates new X509 key, CSR certificate request and makes call to
 the Warden RA web service, where it obtains the new complete certificate.
diff --git a/warden3/contrib/warden_ra/warden_apply.sh b/warden3/contrib/warden_ra/warden_apply.sh
index 5d5f9716b2d0dca675fd8f9c8e2f528c81a59320..18024c6711c654c8676f6bac45705527364084a8 100644
--- a/warden3/contrib/warden_ra/warden_apply.sh
+++ b/warden3/contrib/warden_ra/warden_apply.sh
@@ -1,21 +1,28 @@
 #!/bin/bash
 
-url='https://warden-hub.cesnet.cz/warden-ra/getCert'
 key=key.pem
 csr=csr.pem
 cert=cert.pem
 result=${TMPDIR:-${TMP:-/tmp}}/cert.$$.$RANDOM
 config=${TMPDIR:-${TMP:-/tmp}}/conf.$$.$RANDOM
-client="$1"
-password="$2"
-incert="$2"
-inkey="$3"
+if [ "$1" == "--cacert" ]; then
+  cacert="--cacert $2"
+  shift
+  shift
+fi
+url="$1"
+client="$2"
+password="$3"
+incert="$4"
+inkey="$5"
 
 trap 'rm -f "$config $result"' INT TERM HUP EXIT
 
 function flee { echo -e "$1"; exit $2; }
 
-[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} client.name password\n       ${0%.*} client.name cert_file key_file" 255
+[ -z "$client" -o -z "$password" ] && flee "Usage: ${0%.*} [--cacert CERT] url client.name password\n       ${0%.*} [--cacert CERT] url client.name cert_file key_file" 255
+
+url="${url%/}/getCert"
 
 for n in openssl curl; do
     command -v "$n" 2>&1 >/dev/null || flee "Haven't found $n binary." 251
@@ -32,9 +39,9 @@ echo -e "default_bits=2048\ndistinguished_name=rdn\nprompt=no\n[rdn]\ncommonName
 openssl req -new -nodes -batch -keyout "$key" -out "$csr" -config "$config" || flee "Error generating key/certificate request." 252
 
 if [ -z "$inkey" ]; then
-	curl --progress-bar --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
+    curl --progress-bar $cacert --request POST --data-binary '@-' "$url?name=$client&password=$password" < "$csr" > "$result"
 else
-	curl --progress-bar --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
+    curl --progress-bar $cacert --request POST --data-binary '@-' --cert "$incert" --key "$inkey" "$url?name=$client" < "$csr" > "$result"
 fi
 
 case $(<$result) in '-----BEGIN CERTIFICATE-----'*)