diff --git a/roles/opensslCA/meta/main.yml b/roles/opensslCA/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e4937cf1e27a3ce8c9a84fdf127b00fe7fd33f3f
--- /dev/null
+++ b/roles/opensslCA/meta/main.yml
@@ -0,0 +1,3 @@
+---
+depdenencies:
+  - {role: commonVars }
diff --git a/roles/opensslCA/tasks/main.yml b/roles/opensslCA/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3655359c3c5323e8e417fc4cbea632b470ca3286
--- /dev/null
+++ b/roles/opensslCA/tasks/main.yml
@@ -0,0 +1,37 @@
+---
+- name : make ca dir
+  file: path={{ x509cadir }} owner=root group=root state=directory
+  sudo: true
+
+- name : make newcerts dir
+  file: path={{ x509cadir }}/newcerts owner=root group=root state=directory
+  sudo: true
+
+- name : make private dir
+  file: path={{ x509cadir }}/private mode=700 owner=root group=root state=directory
+  sudo: true
+
+- name: initialise ca
+  shell: echo 01 > serial ; touch index.txt
+  args: 
+    chdir: "{{ x509cadir }}"
+    creates: index.txt
+  sudo: true
+
+- name: template openssl.cnf
+  template: dest={{ x509cadir }}/openssl.cnf src=openssl_cnf.j2
+  sudo: true
+
+- name: generate key
+  shell: openssl genrsa -out private/cakey.pem 2048
+  args:
+    chdir: "{{ x509cadir }}"
+    creates: private/cakey.pem
+  sudo: true
+
+- name: generate cert
+  shell: openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 -config openssl.cnf
+  args:
+    chdir: "{{ x509cadir }}"
+    creates: cacert.pem
+  sudo: true
diff --git a/roles/opensslCA/templates/openssl_cnf.j2 b/roles/opensslCA/templates/openssl_cnf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..ef60d393fd7e2051fe69ad7f5988519744a8c916
--- /dev/null
+++ b/roles/opensslCA/templates/openssl_cnf.j2
@@ -0,0 +1,50 @@
+[ ca ]
+default_ca = CA_default
+
+[ CA_default ]
+dir= {{ x509cadir }}
+certs = $dir/certs
+new_certs_dir = $dir/newcerts
+crl_dir = $dir/crl
+crl = $dir/crl.pem
+crlnumber   = $dir/crlnumber
+database = $dir/index.txt
+private_key = $dir/private/cakey.pem
+RANDFILE = $dir/private/.rand
+x509_extensions = usr_cert
+name_opt    = ca_default        # Subject Name options
+cert_opt    = ca_default        # Certificate field options
+default_days    = 365           # how long to certify for
+default_crl_days= 30            # how long before next CRL
+default_md  = default       # use public key default MD
+preserve    = no            # keep passed DN ordering
+policy      = policy_match
+certificate = $dir/cacert.pem
+serial = $dir/serial
+email_in_dn = no
+unique_subject = no
+
+[ req ]
+distinguished_name = default_name
+prompt = no
+
+[ default_name ] 
+countryName = NA
+stateOrProvinceName = NA
+organizationName    = NA
+commonName = ca
+
+[ policy_match ]
+countryName     = match
+stateOrProvinceName = match
+organizationName    = match
+organizationalUnitName  = optional
+commonName      = supplied
+emailAddress        = optional
+
+[ usr_cert ]
+basicConstraints=CA:FALSE
+nsComment           = "OpenSSL Generated Certificate"
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+
diff --git a/roles/opensslCA/vars/main.yml b/roles/opensslCA/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0bc5203ef1468632ec48e625be438db105feed35
--- /dev/null
+++ b/roles/opensslCA/vars/main.yml
@@ -0,0 +1,2 @@
+---
+x509cadir: /var/ca
diff --git a/roles/opensslServer/tasks/main.yml b/roles/opensslServer/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d49e1a770e7fc29859a9f7bc5ecb30849ad44de8
--- /dev/null
+++ b/roles/opensslServer/tasks/main.yml
@@ -0,0 +1,83 @@
+- include_vars: roles/opensslca/vars/main.yml
+
+- name: install system packages apt
+  apt: name=openssl state=installed update_cache=true
+  sudo: true
+  when: ansible_os_family == 'Debian'
+
+- name: install system packages yum
+  yum: name=openssl state=installed
+  sudo: true
+  when: ansible_os_family == 'RedHat'
+
+- name : make csr dir
+  file: path={{ csrdir }} owner=root group=root state=directory
+  sudo: true
+
+- name : make private dir
+  file: path={{ csrdir }}/private mode=700 owner=root group=root state=directory
+  sudo: true
+
+- name: template openssl.cnf
+  template: dest={{ csrdir }}/openssl.cnf src=openssl_cnf.j2
+  sudo: true
+
+- name: generate key
+  shell: openssl genrsa -out private/key.pem 2048
+  args:
+    chdir: "{{ csrdir }}"
+    creates: private/key.pem
+  sudo: true
+  register: needCert
+
+- name: generate csr
+  shell: openssl req -new -key private/key.pem -out {{ certname }}.csr -days 3650 -config openssl.cnf
+  args:
+    chdir: "{{ csrdir }}"
+    creates: "{{ certname }}.csr"
+  sudo: true
+  when: needCert|changed
+
+#
+# Copy the CSR from the host to localhost, then from localhost to the CA server
+#
+
+
+
+- name: copy csr to localhost
+  shell: scp {{ hostvars[ansible_hostname]['ansible_user_id'] }}@{{ ansible_ssh_host }}:/{{ csrdir }}/{{ certname }}.csr /tmp/{{ certname }}.csr
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+
+- name: echo vars
+  shell: echo {{ causer }}@{{ ca_ssh_host }}
+
+- name: copy csr to CA
+  shell: scp /tmp/{{ certname }}.csr {{ causer }}@{{ ca_ssh_host }}:/tmp/{{ certname }}.csr
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+
+
+#
+# Signing tasks
+# 
+
+- name: sign certs
+  shell: yes | openssl ca -config {{ cadir }}/openssl.cnf -days 3650 -in /tmp/{{ certname }}.csr -out /tmp/{{ certname }}.cert
+  sudo: true
+  delegate_to: "{{ cahost }}"
+  when: needCert|changed
+
+#
+# Copy cert from cahost to localhost then back to ansible_host
+#
+
+- name: copy cert to localhost
+  shell: scp {{ causer }}@{{ ca_ssh_host }}:/tmp/{{ certname }}.cert /tmp/{{ certname }}.cert
+  delegate_to: 127.0.0.1
+  when: needCert|changed
+
+- name: copy cert to ansible_host
+  copy: src=/tmp/{{ certname }}.cert dest={{ csrdir }}/{{ certname }}.cert
+  sudo: True
+  when: needCert|changed
diff --git a/roles/opensslServer/templates/openssl_cnf.j2 b/roles/opensslServer/templates/openssl_cnf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..735fb3fc90bc322501f75ec9e74afdab4a64ac42
--- /dev/null
+++ b/roles/opensslServer/templates/openssl_cnf.j2
@@ -0,0 +1,10 @@
+[ req ]
+distinguished_name = default_name
+prompt = no
+
+[ default_name ]
+countryName = NA
+stateOrProvinceName = NA
+organizationName    = NA
+commonName = {{ ansible_hostname }}.{{ ansible_domain }}
+
diff --git a/roles/opensslServer/vars/main.yml b/roles/opensslServer/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a59154a754144b2e0140fbca554cc750e1294a9f
--- /dev/null
+++ b/roles/opensslServer/vars/main.yml
@@ -0,0 +1,7 @@
+---
+csrdir: /var/x509csr
+certname: "{{ ansible_hostname }}"
+cahost: "{{ groups['x509ca'][0] }}"
+ca_ssh_host: "{{ hostvars[cahost]['ansible_ssh_host'] }}"
+causer: "{{ hostvars[cahost]['ansible_user_id'] }}"
+cadir: "{{ x509cadir }}"
diff --git a/get_or_make_passwd.py b/scripts/get_or_make_passwd.py
similarity index 100%
rename from get_or_make_passwd.py
rename to scripts/get_or_make_passwd.py
diff --git a/scripts/makehosts.py b/scripts/makehosts.py
new file mode 100755
index 0000000000000000000000000000000000000000..6068b13ccc69ab1e83f91edce6bf5c1187d12647
--- /dev/null
+++ b/scripts/makehosts.py
@@ -0,0 +1,27 @@
+#!/usr/bin/python
+import sys
+import json
+filename = sys.argv[1]
+domain = sys.argv[2]
+f=open(filename,'r')
+s=f.read()
+d=json.loads(s)
+f.close()
+hosts={}
+for group in d['groups'].keys():
+    i=0
+    for h in d['groups'][group]:
+        if hosts.has_key(h):
+            hosts[h].append('%s-%s.%s'%(group,i,domain))
+            hosts[h].append('%s-%s'%(group,i))
+            pass
+        else:
+            hosts[h] = ['%s.%s'%(h,domain),'%s-%s.%s'%(group,i,domain),'%s'%h,'%s-%s'%(group,i)]
+        i=i+1
+
+
+for h in hosts.keys():
+    string="%s"%(d['hostvars'][h]['ansible_eth0']['ipv4']['address'])
+    for name in hosts[h]:
+        string=string+" %s"%name
+    print string