diff --git a/roles/sendmail/files/update-sendmail-certs.sh b/roles/sendmail/files/update-sendmail-certs.sh
new file mode 100644
index 0000000..0e0bbc9
--- /dev/null
+++ b/roles/sendmail/files/update-sendmail-certs.sh
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -eu
+umask 022
+
+tmpdir="$(mktemp -d -p /etc/mail)"
+trap 'rm -rf "$tmpdir"' EXIT
+chmod 0755 "$tmpdir"
+
+awk '{
+    if ($0 == "-----BEGIN CERTIFICATE-----") cert=""
+    else if ($0 == "-----END CERTIFICATE-----") print cert
+    else cert=cert$0
+}' /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca.crt | while read -r CERT; do
+    echo "$CERT" | base64 -d | openssl x509 -inform DER > \
+        "${tmpdir}/$(echo "$CERT" | base64 -d | openssl x509 -inform DER -hash -noout).0"
+done
+
+if ! diff -q "$tmpdir" "/etc/mail/certs" > /dev/null 2>&1 ; then
+    rm -rf /etc/mail/certs
+    mv "$tmpdir" /etc/mail/certs
+    exit 0
+fi
+
+exit 1
diff --git a/roles/sendmail/handlers/main.yml b/roles/sendmail/handlers/main.yml
index 811e9ee..3c47d7f 100644
--- a/roles/sendmail/handlers/main.yml
+++ b/roles/sendmail/handlers/main.yml
@@ -21,3 +21,11 @@
       - newaliases
   register: result
   changed_when: result.rc == 0
+
+- name: Update sendmail root certs
+  ansible.builtin.command:
+    argv:
+      - update-sendmail-certs
+  register: result
+  failed_when: false
+  changed_when: result.rc == 0
diff --git a/roles/sendmail/meta/main.yml b/roles/sendmail/meta/main.yml
index 4dc7ba0..ad8bde3 100644
--- a/roles/sendmail/meta/main.yml
+++ b/roles/sendmail/meta/main.yml
@@ -1,5 +1,5 @@
 ---
-
 dependencies:
   - {role: dhparams}
+  - {role: pki}
   - {role: saslauthd}
diff --git a/roles/sendmail/tasks/main.yml b/roles/sendmail/tasks/main.yml
index 117b47c..c247eed 100644
--- a/roles/sendmail/tasks/main.yml
+++ b/roles/sendmail/tasks/main.yml
@@ -16,6 +16,22 @@
     owner: root
     group: "{{ ansible_wheel }}"
 
+- name: Add script to update root certs
+  ansible.builtin.copy:
+    dest: /usr/local/sbin/update-sendmail-certs
+    src: update-sendmail-certs.sh
+    mode: "0755"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Update sendmail root certs
+
+- name: Add cronjob to update root certs
+  ansible.builtin.cron:
+    name: update-sendmail-certs
+    job: /usr/local/sbin/update-sendmail-certs
+    hour: "05"
+    minute: "30"
+
 - name: Copy private key
   ansible.builtin.copy:
     dest: "{{ tls_private }}/{{ mail_server }}.key"