diff --git a/cas/apiv1/options.go b/cas/apiv1/options.go
index 61cac9a2..badad7fc 100644
--- a/cas/apiv1/options.go
+++ b/cas/apiv1/options.go
@@ -38,10 +38,17 @@ type Options struct {
 	CertificateChain []*x509.Certificate `json:"-"`
 	Signer           crypto.Signer       `json:"-"`
 
-	// IsCreator is set to true when we're creating a certificate authority. Is
-	// used to skip some validations when initializing a CertificateAuthority.
+	// IsCreator is set to true when we're creating a certificate authority. It
+	// is used to skip some validations when initializing a
+	// CertificateAuthority. This option is used on SoftCAS and CloudCAS.
 	IsCreator bool `json:"-"`
 
+	// IsCAGetter is set to true when we're just using the
+	// CertificateAuthorityGetter interface to retrieve the root certificate. It
+	// is used to skip some validations when initializing a
+	// CertificateAuthority. This option is used on StepCAS.
+	IsCAGetter bool `json:"-"`
+
 	// KeyManager is the KMS used to generate keys in SoftCAS.
 	KeyManager kms.KeyManager `json:"-"`
 
diff --git a/cas/stepcas/stepcas.go b/cas/stepcas/stepcas.go
index 49a99963..a124b4ae 100644
--- a/cas/stepcas/stepcas.go
+++ b/cas/stepcas/stepcas.go
@@ -47,10 +47,13 @@ func New(ctx context.Context, opts apiv1.Options) (*StepCAS, error) {
 		return nil, err
 	}
 
-	// Create configured issuer
-	iss, err := newStepIssuer(caURL, client, opts.CertificateIssuer)
-	if err != nil {
-		return nil, err
+	var iss stepIssuer
+	// Create configured issuer unless we only want to use GetCertificateAuthority.
+	// This avoid the request for the password if not provided.
+	if !opts.IsCAGetter {
+		if iss, err = newStepIssuer(caURL, client, opts.CertificateIssuer); err != nil {
+			return nil, err
+		}
 	}
 
 	return &StepCAS{
diff --git a/cas/stepcas/stepcas_test.go b/cas/stepcas/stepcas_test.go
index fb8259f5..f430a1dd 100644
--- a/cas/stepcas/stepcas_test.go
+++ b/cas/stepcas/stepcas_test.go
@@ -411,6 +411,19 @@ func TestNew(t *testing.T) {
 			client:      client,
 			fingerprint: testRootFingerprint,
 		}, false},
+		{"ok ca getter", args{context.TODO(), apiv1.Options{
+			IsCAGetter:                      true,
+			CertificateAuthority:            caURL.String(),
+			CertificateAuthorityFingerprint: testRootFingerprint,
+			CertificateIssuer: &apiv1.CertificateIssuer{
+				Type:        "jwk",
+				Provisioner: "ra@doe.org",
+			},
+		}}, &StepCAS{
+			iss:         nil,
+			client:      client,
+			fingerprint: testRootFingerprint,
+		}, false},
 		{"fail authority", args{context.TODO(), apiv1.Options{
 			CertificateAuthority:            "",
 			CertificateAuthorityFingerprint: testRootFingerprint,