diff --git a/roles/foreman_custom_certs/tasks/main.yml b/roles/foreman_custom_certs/tasks/main.yml
new file mode 100644
index 000000000..a30f5ee00
--- /dev/null
+++ b/roles/foreman_custom_certs/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Create custom certs
+  include_role:
+    name: ownca
+  vars:
+    ownca_cert_name: "{{ ansible_fqdn }}"
+
+- name: Update Installer parameters
+  set_fact:
+    foreman_installer_options: "{{ (foreman_installer_options|default([])) + ['--certs-server-cert /opt/ownca/{{ ansible_fqdn }}/{{ ansible_fqdn }}.crt', '--certs-server-key /opt/ownca/{{ ansible_fqdn }}/{{ ansible_fqdn }}.key', '--certs-server-ca-cert /opt/ownca/cacert.crt'] }}"
diff --git a/roles/ownca/defaults/main.yml b/roles/ownca/defaults/main.yml
new file mode 100644
index 000000000..019988ecc
--- /dev/null
+++ b/roles/ownca/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+ownca_deploy: true
+ownca_bin_path: /usr/local/bin/ownca
+ownca_ca_path: /opt/ownca/
diff --git a/roles/ownca/molecule/default/converge.yml b/roles/ownca/molecule/default/converge.yml
new file mode 100644
index 000000000..122fce32f
--- /dev/null
+++ b/roles/ownca/molecule/default/converge.yml
@@ -0,0 +1,8 @@
+---
+- name: Converge
+  hosts: all
+  gather_facts: true
+  vars:
+    ownca_cert_name: host.example.com
+  roles:
+    - ownca
diff --git a/roles/ownca/molecule/default/molecule.yml b/roles/ownca/molecule/default/molecule.yml
new file mode 100644
index 000000000..5c11d0365
--- /dev/null
+++ b/roles/ownca/molecule/default/molecule.yml
@@ -0,0 +1,16 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: ${DRIVER_NAME:-podman}
+platforms:
+  - name: centos8
+    image: centos:stream8
+provisioner:
+  name: ansible
+verifier:
+  name: ansible
+lint: |
+  set -e
+  yamllint -c ../../.yamllint .
+  ansible-lint .
diff --git a/roles/ownca/molecule/default/verify.yml b/roles/ownca/molecule/default/verify.yml
new file mode 100644
index 000000000..ee55b9af4
--- /dev/null
+++ b/roles/ownca/molecule/default/verify.yml
@@ -0,0 +1,21 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: false
+  tasks:
+    - name: find ca cert
+      stat:
+        path: "/opt/ownca/private/cakey.crt"
+      register: cacert
+    - name: ensure ca cert exists
+      assert:
+        that:
+          - cacert.stat.exists
+    - name: find cert
+      stat:
+        path: "/opt/ownca/host.example.com/host.example.com.crt"
+      register: cert
+    - name: ensure cert exists
+      assert:
+        that:
+          - cert.stat.exists
diff --git a/roles/ownca/tasks/deploy.yml b/roles/ownca/tasks/deploy.yml
new file mode 100644
index 000000000..e7b4a94e8
--- /dev/null
+++ b/roles/ownca/tasks/deploy.yml
@@ -0,0 +1,11 @@
+---
+- name: Install OpenSSL
+  package:
+    name: openssl
+    state: present
+
+- name: Deploy OwnCA
+  get_url:
+    url: https://raw.githubusercontent.com/ekohl/ownca/master/ownca
+    dest: "{{ ownca_bin_path }}"
+    mode: '0755'
diff --git a/roles/ownca/tasks/main.yml b/roles/ownca/tasks/main.yml
new file mode 100644
index 000000000..9b04989ea
--- /dev/null
+++ b/roles/ownca/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: Deploy OwnCA
+  include_tasks: deploy.yml
+  when: ownca_deploy
+
+- name: Create CA directory
+  file:
+    path: "{{ ownca_ca_path }}"
+    state: directory
+
+- name: Generate CA
+  command:
+    cmd: "{{ ownca_bin_path }} ca"
+    creates: "{{ ownca_ca_path }}/private/cakey.crt"
+    chdir: "{{ ownca_ca_path }}"
+
+- name: Generate certificate
+  command:
+    cmd: "{{ ownca_bin_path }} cert {{ ownca_cert_name }}"
+    creates: "{{ ownca_ca_path }}/{{ ownca_cert_name }}/{{ ownca_cert_name }}.crt"
+    chdir: "{{ ownca_ca_path }}"
+  when: ownca_cert_name is defined