diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml
index d211bf7..c0cf45f 100644
--- a/roles/dovecot/tasks/main.yml
+++ b/roles/dovecot/tasks/main.yml
@@ -15,6 +15,7 @@
   with_first_found:
     - "/srv/letsencrypt/live/{{ mail_server }}/privkey.pem"
     - "/srv/ca/private/{{ inventory_hostname }}.key"
+  tags: certificates
   notify: restart dovecot
 
 - name: install certificate
@@ -27,6 +28,7 @@
   with_first_found:
     - "/srv/letsencrypt/live/{{ mail_server }}/fullchain.pem"
     - "/srv/ca/certs/{{ inventory_hostname }}.crt"
+  tages: certificates
   notify: restart dovecot
 
 - name: create local config
diff --git a/roles/ldap/server/tasks/main.yml b/roles/ldap/server/tasks/main.yml
index 08b1253..6a189f6 100644
--- a/roles/ldap/server/tasks/main.yml
+++ b/roles/ldap/server/tasks/main.yml
@@ -80,6 +80,7 @@
     mode: 0644
     owner: root
     group: "{{ ansible_wheel }}"
+  tags: certificates
   notify: restart slapd
 - name: copy ldap server key
   copy:
@@ -88,6 +89,7 @@
     mode: 0640
     owner: root
     group: ldap
+  tags: certificates
   notify: restart slapd
 - name: copy ldap server certificate chain
   copy:
@@ -96,6 +98,7 @@
     mode: 0644
     owner: root
     group: "{{ ansible_wheel }}"
+  tags: certificates
   notify: restart slapd
 - name: get ldap server chain hash
   command: "openssl x509 -in /srv/letsencrypt/live/{{ ldap_server_cert }}/chain.pem -noout -hash"
diff --git a/roles/nginx/site/tasks/main.yml b/roles/nginx/site/tasks/main.yml
index d68706d..b66649c 100644
--- a/roles/nginx/site/tasks/main.yml
+++ b/roles/nginx/site/tasks/main.yml
@@ -28,6 +28,7 @@
     - "/srv/letsencrypt/live/{{ site }}/privkey.pem"
     - "/srv/ca/private/{{ site }}.key"
     - "/srv/ca/private/{{ inventory_hostname }}.key"
+  tags: certificates
   notify: restart nginx
 
 - name: "copy site certificate for {{ site }}"
@@ -41,4 +42,5 @@
     - "/srv/letsencrypt/live/{{ site }}/fullchain.pem"
     - "/srv/ca/certs/{{ site }}.crt"
     - "/srv/ca/certs/{{ inventory_hostname }}.crt"
+  tags: certificates
   notify: restart nginx
diff --git a/roles/nsd/tasks/main.yml b/roles/nsd/tasks/main.yml
index 93d28f7..5fa17ba 100644
--- a/roles/nsd/tasks/main.yml
+++ b/roles/nsd/tasks/main.yml
@@ -10,6 +10,7 @@
     - "/srv/letsencrypt/live/{{ nsd_server }}/privkey.pem"
     - "/srv/ca/private/{{ nsd_server }}.key"
     - "/srv/ca/private/{{ inventory_hostname }}.key"
+  tags: certificates
   notify: restart nsd
 
 - name: copy server key
@@ -23,6 +24,7 @@
     - "/srv/letsencrypt/live/{{ nsd_server }}/fullchain.pem"
     - "/srv/ca/certs/{{ site }}.crt"
     - "/srv/ca/certs/{{ inventory_hostname }}.crt"
+  tags: certificates
   notify: restart nsd
 
 - name: create nsd config
diff --git a/roles/syslogd/tasks/server.yml b/roles/syslogd/tasks/server.yml
index 3de2491..107f7b1 100644
--- a/roles/syslogd/tasks/server.yml
+++ b/roles/syslogd/tasks/server.yml
@@ -26,6 +26,7 @@
     mode: 0600
     owner: root
     group: "{{ ansible_wheel }}"
+  tags: certificates
 
 - name: copy server crt
   copy:
@@ -34,6 +35,7 @@
     mode: 0644
     owner: root
     group: "{{ ansible_wheel }}"
+  tags: certificates
 
 - name: add archiving to syslog.conf
   blockinfile: