diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml
index 448d42a..b4bded4 100644
--- a/roles/generate-cert/defaults/main.yml
+++ b/roles/generate-cert/defaults/main.yml
@@ -2,3 +2,4 @@
 key_usage:
   - digitalSignature
   - keyEncipherment
+validity_duration: "+365d"
diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
index 149fffb..e4dcdba 100644
--- a/roles/generate-cert/tasks/main.yml
+++ b/roles/generate-cert/tasks/main.yml
@@ -40,6 +40,36 @@
   delegate_to: localhost
   when: not key_file.stat.exists
 
+- name: Put the CA in a file
+  become: false
+  copy:
+    content: "{{ ca_cert }}"
+    dest: "/tmp/ansible_hacky_pki_ca.crt"
+  delegate_to: localhost
+  when: not key_file.stat.exists
+
+- name: Put the CA key in a file
+  become: false
+  copy:
+    content: "{{ ca_key }}"
+    dest: "/tmp/ansible_hacky_pki_ca.key"
+    mode: u=rw,g=,o=
+  delegate_to: localhost
+  when: not key_file.stat.exists
+
+- name: Sign the certificate
+  become: false
+  openssl_certificate:
+    path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
+    csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+    ownca_not_after: "{{ validity_duration }}"
+    ownca_path: /tmp/ansible_hacky_pki_ca.crt
+    ownca_privatekey_passphrase: "{{ ca_passphrase }}"
+    ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
+    provider: ownca
+  delegate_to: localhost
+  when: not key_file.stat.exists
+
 - name: Send private key to the server
   copy:
     src: "/tmp/ansible_hacky_pki_{{ cname }}.key"