diff --git a/changelogs/fragments/9694-ipa-host-certificate-revoked.yml b/changelogs/fragments/9694-ipa-host-certificate-revoked.yml
new file mode 100644
index 0000000000..71dcbb2a17
--- /dev/null
+++ b/changelogs/fragments/9694-ipa-host-certificate-revoked.yml
@@ -0,0 +1,2 @@
+bugfixes:
+  - ipa_host - module revoked existing host certificates even if ``user_certificate`` was not given (https://github.com/ansible-collections/community.general/pull/9694).
diff --git a/plugins/modules/ipa_host.py b/plugins/modules/ipa_host.py
index 791cee91f3..a30f6b1ea2 100644
--- a/plugins/modules/ipa_host.py
+++ b/plugins/modules/ipa_host.py
@@ -272,6 +272,10 @@ def ensure(module, client):
                     data = {}
                     for key in diff:
                         data[key] = module_host.get(key)
+                    if "usercertificate" not in data:
+                        data["usercertificate"] = [
+                            cert['__base64__'] for cert in ipa_host.get("usercertificate", [])
+                        ]
                     ipa_host_show = client.host_show(name=name)
                     if ipa_host_show.get('has_keytab', True) and (state == 'disabled' or module.params.get('random_password')):
                         client.host_disable(name=name)