diff --git a/.github/workflows/ipa-basic-test.yml b/.github/workflows/ipa-basic-test.yml
index 73f9a9d26ae..862677c76f0 100644
--- a/.github/workflows/ipa-basic-test.yml
+++ b/.github/workflows/ipa-basic-test.yml
@@ -63,6 +63,42 @@ jobs:
           docker exec ipa pki-server webapp-show ca
           docker exec ipa pki-server webapp-show pki
 
+      - name: Check subsystems
+        run: |
+          docker exec ipa pki-server subsystem-find | tee output
+
+          echo "ca" > expected
+          sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+          docker exec ipa pki-server subsystem-show ca | tee output
+
+          # CA subsystem should be enabled
+          echo "True" > expected
+          sed -n 's/^ *Enabled: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+      - name: Check incomplete subsystems
+        run: |
+          # KRA subsystem should not exist initially
+          docker exec ipa pki-server subsystem-show kra \
+              > >(tee stdout) 2> >(tee stderr >&2) || true
+
+          echo "ERROR: No kra subsystem in instance pki-tomcat." > expected
+          diff expected stderr
+
+          # create empty KRA folder
+          docker exec ipa mkdir -p /var/lib/pki/pki-tomcat/kra
+
+          # KRA subsystem still should not exist
+          docker exec ipa pki-server subsystem-show kra \
+              > >(tee stdout) 2> >(tee stderr >&2) || true
+
+          echo "ERROR: No kra subsystem in instance pki-tomcat." > expected
+          diff expected stderr
+
+          docker exec ipa rm -rf /var/lib/pki/pki-tomcat/kra
+
       - name: Check DS certs and keys
         run: |
           docker exec ipa ls -la /etc/dirsrv/slapd-EXAMPLE-COM
@@ -160,6 +196,17 @@ jobs:
 
           docker exec ipa pki-server webapp-show kra
 
+      - name: Check subsystems
+        run: |
+          docker exec ipa pki-server subsystem-find | tee output
+
+          echo "ca" > expected
+          echo "kra" >> expected
+          sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual
+          diff expected actual
+
+          docker exec ipa pki-server subsystem-show kra
+
       - name: Run PKI healthcheck
         run: docker exec ipa pki-healthcheck --failures-only
 
diff --git a/.github/workflows/server-basic-test.yml b/.github/workflows/server-basic-test.yml
index fec600c9a6d..537d41ba398 100644
--- a/.github/workflows/server-basic-test.yml
+++ b/.github/workflows/server-basic-test.yml
@@ -53,6 +53,36 @@ jobs:
           sed -n 's/^ *Webapp ID: *\(.*\)$/\1/p' output > actual
           diff /dev/null actual
 
+      - name: Check subsystems
+        run: |
+          # there should be no subsystems
+          docker exec pki pki-server subsystem-find | tee output
+
+          sed -n 's/^ *Subsystem ID: *\(.*\)$/\1/p' output > actual
+          diff /dev/null actual
+
+      - name: Check incomplete subsystems
+        run: |
+          # subsystem should not exist
+          docker exec ipa pki-server subsystem-show ca \
+              > >(tee stdout) 2> >(tee stderr >&2) || true
+
+          echo "ERROR: No ca subsystem in instance pki-tomcat." > expected
+          diff expected stderr
+
+          # create empty subsystem folder
+          docker exec ipa mkdir -p /var/lib/pki/pki-tomcat/ca
+
+          # subsystem still should not exist
+          docker exec ipa pki-server subsystem-show ca \
+              > >(tee stdout) 2> >(tee stderr >&2) || true
+
+          echo "ERROR: No ca subsystem in instance pki-tomcat." > expected
+          diff expected stderr
+
+          # remove subsystem folder
+          docker exec ipa rm -rf /var/lib/pki/pki-tomcat/ca
+
       - name: Set up client container
         run: |
           tests/bin/runner-init.sh client
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index ea977cfe2a5..ad086d0af20 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -1222,8 +1222,15 @@ def load_subsystems(self):
         for subsystem_name in SUBSYSTEM_TYPES:
 
             subsystem_dir = os.path.join(self.base_dir, subsystem_name)
+
+            # Ensure /var/lib/pki/<instance>/<subsystem> exists.
             if not os.path.exists(subsystem_dir):
-                # Directory does not exist
+                continue
+
+            # Ensure /var/lib/pki/<instance>/<subsystem> is not empty.
+            # This is needed by https://issues.redhat.com/browse/RHEL-21568.
+            if not os.listdir(subsystem_dir):
+                # Directory exists but it is empty
                 continue
 
             subsystem = pki.server.subsystem.PKISubsystemFactory.create(self, subsystem_name)
diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index ca153d4a62a..0a442fc8cd5 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -189,7 +189,7 @@ def execute(self, argv):
 
         subsystem = instance.get_subsystem(subsystem_name)
         if not subsystem:
-            logger.error('ERROR: No %s subsystem in instance %s.',
+            logger.error('No %s subsystem in instance %s.',
                          subsystem_name, instance_name)
             sys.exit(1)
 
@@ -944,7 +944,7 @@ def execute(self, argv):
 
         subsystem = instance.get_subsystem(subsystem_name)
         if not subsystem:
-            logger.error('ERROR: No %s subsystem in instance %s.',
+            logger.error('No %s subsystem in instance %s.',
                          subsystem_name, instance_name)
             sys.exit(1)
         cert = subsystem.get_subsystem_cert(cert_id)