diff --git a/REFERENCE.md b/REFERENCE.md
index 4a5314fbd0aac8d3d4309a56301fc37168dfb65c..671e00463c3208ddf121b994b0b1f4dd450b1934 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -96,6 +96,7 @@ The following parameters are available in the `cfssl` class:
 * [`serve_config`](#serve_config)
 * [`crl_manage`](#crl_manage)
 * [`crldir`](#crldir)
+* [`crldir_manage`](#crldir_manage)
 * [`crl_expiry`](#crl_expiry)
 * [`crl_gentimer`](#crl_gentimer)
 * [`crl_extension`](#crl_extension)
@@ -261,6 +262,14 @@ A directory where the CRL file is written.
 
 Default value: `'/var/cfssl'`
 
+##### <a name="crldir_manage"></a>`crldir_manage`
+
+Data type: `Boolean`
+
+Determines whether Puppet manages the `crldir` directory.
+
+Default value: ``true``
+
 ##### <a name="crl_expiry"></a>`crl_expiry`
 
 Data type: `Integer`
diff --git a/manifests/init.pp b/manifests/init.pp
index 8dbfd49f5180f796e0901ea7fb7cfb94695a9fc5..1e0f537db2a9346c1ebbe140899c30461f6c6ce0 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -45,6 +45,7 @@
 # @param serve_config The configuration of CFSSL serve process.
 # @param crl_manage If true a CRL file is generated from the served autority.
 # @param crldir A directory where the CRL file is written.
+# @param crldir_manage Determines whether Puppet manages the `crldir` directory.
 # @param crl_expiry A value, in seconds, after which the CRL should expire from the moment of the request
 # @param crl_gentimer Systemd timer https://www.freedesktop.org/software/systemd/man/systemd.time.html
 # @param crl_extension The filename extension suffix used form generated CRL.
@@ -71,6 +72,7 @@ class cfssl (
   Cfssl::Serveconfig $serve_config = { signing => { 'default' => { expiry => '1h', usages => ['client auth'] } } },
   Boolean $crl_manage = false,
   Stdlib::Absolutepath $crldir = '/var/cfssl',
+  Boolean $crldir_manage = true,
   Integer $crl_expiry = 604800,
   String[1] $crl_gentimer = '*:00:00',
   String[1] $crl_extension  = 'pem',
@@ -129,7 +131,7 @@ class cfssl (
     }
   }
 
-  file { [$confdir, "${confdir}/ca", $logdir, $crldir]:
+  file { [$confdir, "${confdir}/ca", $logdir]:
     ensure  => directory,
     mode    => '0700',
     owner   => $sysuser,
@@ -137,6 +139,16 @@ class cfssl (
     require => User[$sysuser],
   }
 
+  if $crldir_manage {
+    file { $crldir:
+      ensure  => directory,
+      mode    => '0700',
+      owner   => $sysuser,
+      group   => $sysgroup,
+      require => User[$sysuser],
+    }
+  }
+
   postgresql::server::db { $dbname:
     user     => $dbuser,
     password => postgresql::postgresql_password($dbuser, $dbpassword),