diff --git a/manifests/config.pp b/manifests/config.pp
index 555459f6..5563e512 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -90,6 +90,7 @@
   if $::foreman_proxy::puppetca_modular {
     foreman_proxy::settings_file { [
         'puppetca_hostname_whitelisting',
+        'puppetca_token_whitelisting',
       ]:
         module => false,
     }
diff --git a/manifests/init.pp b/manifests/init.pp
index 728b5fc6..8fb5bc2d 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -83,6 +83,8 @@
 #
 # $autosignfile::               Hostname-Whitelisting only: Location of puppets autosign.conf
 #
+# $puppetca_tokens_file::       Token-Whitelisting only: Location of the tokens.yaml
+#
 # $manage_puppet_group::        Whether to ensure the $puppet_group exists.  Also ensures group owner of ssl keys and certs is $puppet_group
 #                               Not applicable when ssl is false.
 #
@@ -295,6 +297,12 @@
 #
 # $puppetca_provider::          Whether to use puppetca_hostname_whitelisting or puppetca_token_whitelisting
 #
+# $puppetca_sign_all::          Token-whitelisting only: Whether to sign all CSRs without checking their token
+#
+# $puppetca_token_ttl::         Token-whitelisting only: Fallback time (in minutes) after which tokens will expire
+#
+# $puppetca_certificate::       Token-whitelisting only: Certificate to use when encrypting tokens (undef to use SSL certificate)
+#
 class foreman_proxy (
   String $repo = $::foreman_proxy::params::repo,
   Boolean $gpgcheck = $::foreman_proxy::params::gpgcheck,
@@ -335,6 +343,10 @@
   Boolean $puppetca_modular = $::foreman_proxy::params::puppetca_modular,
   String $puppetca_provider = $::foreman_proxy::params::puppetca_provider,
   Stdlib::Absolutepath $autosignfile = $::foreman_proxy::params::autosignfile,
+  Boolean $puppetca_sign_all = $::foreman_proxy::params::puppetca_sign_all,
+  Stdlib::Absolutepath $puppetca_tokens_file = $::foreman_proxy::params::puppetca_tokens_file,
+  Integer[0] $puppetca_token_ttl = $::foreman_proxy::params::puppetca_token_ttl,
+  Optional[Stdlib::Absolutepath] $puppetca_certificate = $::foreman_proxy::params::puppetca_certificate,
   Boolean $manage_puppet_group = $::foreman_proxy::params::manage_puppet_group,
   Boolean $puppet = $::foreman_proxy::params::puppet,
   Foreman_proxy::ListenOn $puppet_listen_on = $::foreman_proxy::params::puppet_listen_on,
diff --git a/manifests/params.pp b/manifests/params.pp
index 33f1c6fc..adf9bc13 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -244,6 +244,10 @@
   $puppetca_cmd          = "${puppet_cmd} cert"
   $puppet_group          = 'puppet'
   $autosignfile          = "${puppetdir}/autosign.conf"
+  $puppetca_sign_all     = false
+  $puppetca_tokens_file  = '/var/lib/foreman-proxy/tokens.yml'
+  $puppetca_token_ttl    = 360
+  $puppetca_certificate  = undef
 
   # The puppet-agent package, (puppet 4 AIO) doesn't create a puppet group
   $manage_puppet_group = versioncmp($::puppetversion, '4.0') > 0
diff --git a/spec/classes/foreman_proxy__config__spec.rb b/spec/classes/foreman_proxy__config__spec.rb
index 9fb3286a..a03f0442 100644
--- a/spec/classes/foreman_proxy__config__spec.rb
+++ b/spec/classes/foreman_proxy__config__spec.rb
@@ -83,7 +83,7 @@
             'settings.d/dns_libvirt.yml', 'settings.d/dhcp.yml', 'settings.d/dhcp_isc.yml',
             'settings.d/dhcp_libvirt.yml', 'settings.d/logs.yml', 'settings.d/puppet.yml',
             'settings.d/puppetca.yml', 'settings.d/puppetca_hostname_whitelisting.yml',
-            'settings.d/puppet_proxy_customrun.yml',
+            'settings.d/puppetca_token_whitelisting.yml', 'settings.d/puppet_proxy_customrun.yml',
             'settings.d/puppet_proxy_legacy.yml', 'settings.d/puppet_proxy_mcollective.yml',
             'settings.d/puppet_proxy_puppet_api.yml', 'settings.d/puppet_proxy_puppetrun.yml',
             'settings.d/puppet_proxy_salt.yml', 'settings.d/puppet_proxy_ssh.yml',
@@ -265,6 +265,15 @@
           ])
         end
 
+        it 'should generate correct puppetca_token_whitelisting.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_token_whitelisting.yml", [
+            '---',
+            ':tokens_file: /var/lib/foreman-proxy/tokens.yml',
+            ':sign_all: false',
+            ':token_ttl: 360',
+          ])
+        end
+
         tftp_root = case facts[:osfamily]
                     when 'Debian'
                       case facts[:operatingsystem]
@@ -803,6 +812,49 @@
         it 'should not generate a puppetca_hostname_whitelisting' do
           should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_hostname_whitelisting")
         end
+
+        it 'should not generate a puppetca_hostname_whitelisting' do
+          should_not contain_file("#{etc_dir}/foreman-proxy/settings.d/puppet_token_whitelisting")
+        end
+      end
+
+      context 'with custom puppetca params' do
+        let :pre_condition do
+          'class { "foreman_proxy":
+            puppetca_provider => "puppetca_token_whitelisting",
+            puppetca_sign_all => true,
+            puppetca_tokens_file => "/foo/bar.yml",
+            autosignfile => "/bar/baz.conf",
+            puppetca_token_ttl => 42,
+            puppetca_certificate => "/bar/baz.pem",
+          }'
+        end
+
+        it 'should generate correct puppetca.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca.yml", [
+            '---',
+            ':enabled: https',
+            ':use_provider: puppetca_token_whitelisting',
+            ":ssldir: #{ssl_dir}",
+          ])
+        end
+
+        it 'should generate correct puppetca_hostname_whitelisting.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_hostname_whitelisting.yml", [
+            '---',
+            ":autosignfile: /bar/baz.conf",
+          ])
+        end
+
+        it 'should generate correct puppetca_token_whitelisting.yml' do
+          verify_exact_contents(catalogue, "#{etc_dir}/foreman-proxy/settings.d/puppetca_token_whitelisting.yml", [
+            '---',
+            ':tokens_file: /foo/bar.yml',
+            ':sign_all: true',
+            ':token_ttl: 42',
+            ':certificate: /bar/baz.pem',
+          ])
+        end
       end
 
       context 'when puppetrun_provider and puppetrun_cmd set' do
diff --git a/templates/puppetca_token_whitelisting.yml.erb b/templates/puppetca_token_whitelisting.yml.erb
new file mode 100644
index 00000000..3d4c37f7
--- /dev/null
+++ b/templates/puppetca_token_whitelisting.yml.erb
@@ -0,0 +1,11 @@
+---
+#
+# Configuration of the PuppetCA token_whitelisting provider
+#
+
+:sign_all: <%= scope.lookupvar('foreman_proxy::puppetca_sign_all') %>
+:tokens_file: <%= scope.lookupvar('foreman_proxy::puppetca_tokens_file') %>
+:token_ttl: <%= scope.lookupvar('foreman_proxy::puppetca_token_ttl') %>
+<% unless [nil, :undefined, :undef].include?(scope.lookupvar("foreman_proxy::puppetca_certificate")) -%>
+:certificate: <%= scope.lookupvar('foreman_proxy::puppetca_certificate') %>
+<% end -%>