diff --git a/roles/unbound/tasks/main.yml b/roles/unbound/tasks/main.yml
index 44a4358..6b116cd 100644
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@@ -17,6 +17,29 @@
     update_cache: true
     name: unbound
     state: present
+  register: unbound_install
+
+- name: check if unbound-control certificate exists
+  stat:
+    path: /etc/unbound/unbound_control.pem
+  register: ubc_control_pem
+
+
+- name: check if unbound server certificate exists
+  stat:
+    path: /etc/unbound/unbound_server.pem
+  register: ubc_server_pem
+
+- name: run unbound-control-setup if a certificate is missing
+  command: unbound-control-setup
+  become: yes
+  when: ubc_control_pem.stat.exists == False or ubc_server_pem.stat.exists == False
+
+- name: add unbound-control configuration
+  template:
+    src: unbound-control.conf.j2
+    dest: /etc/unbound/unbound.conf.d/unbound-control.conf
+    mode: 0644
 
 - name: setup main unbound config file
   template:
diff --git a/roles/unbound/templates/unbound-control.conf.j2 b/roles/unbound/templates/unbound-control.conf.j2
new file mode 100644
index 0000000..edaa6c2
--- /dev/null
+++ b/roles/unbound/templates/unbound-control.conf.j2
@@ -0,0 +1,23 @@
+remote-control:
+    # Enable remote control with unbound-control(8) here.
+    # set up the keys and certificates with unbound-control-setup.
+    control-enable: yes
+   
+    # what interfaces are listened to for remote control.
+    # give 0.0.0.0 and ::0 to listen to all interfaces.
+    control-interface: 127.0.0.1
+   
+    # port number for remote control operations.
+    control-port: 8953
+   
+    # unbound server key file.
+    server-key-file: "/etc/unbound/unbound_server.key"
+   
+    # unbound server certificate file.
+    server-cert-file: "/etc/unbound/unbound_server.pem"
+   
+    # unbound-control key file.
+    control-key-file: "/etc/unbound/unbound_control.key"
+   
+    # unbound-control certificate file.
+    control-cert-file: "/etc/unbound/unbound_control.pem"