diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index 1bf026f..d28c08b 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -12,4 +12,9 @@
 
 - name: install basic roles
   include_role:
-    name: opensmtpd
+    name: "{{ role }}"
+  with_items:
+    - opensmtpd
+    - pki
+  loop_control:
+    loop_var: role
diff --git a/roles/pki/tasks/main.yml b/roles/pki/tasks/main.yml
new file mode 100644
index 0000000..7c2523b
--- /dev/null
+++ b/roles/pki/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+
+- name: copy ca certificate
+  copy:
+    src: "/srv/ca/certs/ca.crt"
+    dest: "/etc/pki/tls/certs/ca.crt"
+    mode: 0644
+    owner: root
+    group: root
+
+- name: copy host certificate
+  copy:
+    src: "/srv/ca/certs/{{ inventory_hostname }}.crt"
+    dest: "/etc/pki/tls/certs/{{ inventory_hostname }}.crt"
+    mode: 0644
+    owner: root
+    group: root
+
+- name: copy host key
+  copy:
+    src: "/srv/ca/private/{{ inventory_hostname }}.key"
+    dest: "/etc/pki/tls/private/{{ inventory_hostname }}.key"
+    mode: 0600
+    owner: root
+    group: root