diff --git a/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java b/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
index 895bd647ab..4f41596a1c 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/ClientAttributeCertificateResource.java
@@ -171,7 +171,7 @@ public class ClientAttributeCertificateResource {
      *
      * @param uriInfo
      * @param input
-     * @return
+     * @return information extracted from uploaded certificate - not necessarily the new state of certificate on the server
      * @throws IOException
      */
     @POST
@@ -189,6 +189,7 @@ public class ClientAttributeCertificateResource {
 
         if (info.getCertificate() != null) {
             client.setAttribute(certificateAttribute, info.getCertificate());
+            client.removeAttribute(privateAttribute);
         } else {
             throw new ErrorResponseException("certificate-not-found", "Certificate with given alias not found in the keystore", Response.Status.BAD_REQUEST);
         }
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/CredentialsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/CredentialsTest.java
index a9d038ed90..0b2ffafbf2 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/CredentialsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/CredentialsTest.java
@@ -147,8 +147,7 @@ public class CredentialsTest extends AbstractClientTest {
         // Get the certificate - to make sure cert was properly updated, and privateKey is null
         cert = certRsc.getKeyInfo();
         assertEquals("cert properly set", certificate2, cert.getCertificate());
-        // TODO: KEYCLOAK-2981
-        //assertNull("privateKey nullified", cert.getPrivateKey());
+        assertNull("privateKey nullified", cert.getPrivateKey());
 
         // Re-upload the private key
         certRsc.uploadJks(keyCertForm);