diff --git a/cmd/step-pkcs11-init/main.go b/cmd/step-pkcs11-init/main.go
index 174eed78..225557d4 100644
--- a/cmd/step-pkcs11-init/main.go
+++ b/cmd/step-pkcs11-init/main.go
@@ -42,6 +42,7 @@ type Config struct {
 	RootFile         string
 	KeyFile          string
 	Pin              string
+	NoCerts          bool
 	EnableSSH        bool
 	Force            bool
 }
@@ -105,6 +106,7 @@ func main() {
 	flag.StringVar(&c.RootFile, "root", "", "Path to the root certificate to use.")
 	flag.StringVar(&c.KeyFile, "key", "", "Path to the root key to use.")
 	flag.BoolVar(&c.EnableSSH, "ssh", false, "Enable the creation of ssh keys.")
+	flag.BoolVar(&c.NoCerts, "no-certs", false, "Do not store certificates in the module.")
 	flag.BoolVar(&c.Force, "force", false, "Force the delete of previous keys.")
 	flag.Usage = usage
 	flag.Parse()
@@ -145,7 +147,7 @@ func main() {
 	}
 	if !c.Force {
 		for _, u := range certUris {
-			if u != "" {
+			if u != "" && !c.NoCerts {
 				checkObject(k, u)
 			}
 		}
@@ -161,7 +163,7 @@ func main() {
 		})
 		if ok {
 			for _, u := range certUris {
-				if u != "" {
+				if u != "" && !c.NoCerts {
 					if err := deleter.DeleteCertificate(u); err != nil {
 						fatal(err)
 					}
@@ -285,7 +287,7 @@ func createPKI(k kms.KeyManager, c Config) error {
 			return errors.Wrap(err, "error parsing root certificate")
 		}
 
-		if cm, ok := k.(kms.CertificateManager); ok {
+		if cm, ok := k.(kms.CertificateManager); ok && !c.NoCerts {
 			if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{
 				Name:        c.RootObject,
 				Certificate: root,
@@ -362,7 +364,7 @@ func createPKI(k kms.KeyManager, c Config) error {
 		return errors.Wrap(err, "error parsing intermediate certificate")
 	}
 
-	if cm, ok := k.(kms.CertificateManager); ok {
+	if cm, ok := k.(kms.CertificateManager); ok && !c.NoCerts {
 		if err = cm.StoreCertificate(&apiv1.StoreCertificateRequest{
 			Name:        c.CrtObject,
 			Certificate: intermediate,