diff --git a/defaults/main.yml b/defaults/main.yml
index 2a63cc9..078e7da 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -38,4 +38,23 @@ mosquitto_acl_file: "{{ mosquitto_base_dir }}/aclfile"
 
 
 mosquitto_tls_enabled: False
+mosquitto_tls_ciphers:
+  - DEFAULT
+  - "!aNULL"
+  - "!eNULL"
+  - "!LOW"
+  - "!EXPORT"
+  - "!SSLv2"
+  - "@STRENGTH"
 mosquitto_ca_path: /etc/pki/tls/certs/
+# You can deploy your certificates from a file or from content.
+# If you enable mosquitto_tls_source_use_content you have to put the content of your cert files into
+# mosquitto_tls_cert_file and mosquitto_tls_cert_file.
+mosquitto_tls_source_use_content: False
+# If you enable mosquitto_tls_source_use_files theses variables have to contain the path to your
+# certificate files located on the ansible "master" host
+mosquitto_tls_source_use_files: True
+mosquitto_tls_cert_source: mycert.pem
+mosquitto_tls_key_source: mykey.pem
+mosquitto_tls_cert_file: "{{ mosquitto_base_dir }}/tls/certs/mycert.pem"
+mosquitto_tls_key_file: "{{ mosquitto_base_dir }}/tls/private/mykey.pem"
diff --git a/tasks/main.yml b/tasks/main.yml
index 66e9a65..c527746 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,3 +1,7 @@
 ---
 - import_tasks: install.yml
 - import_tasks: config.yml
+- import_tasks: tls.yml
+  when: mosquitto_tls_enabled
+  tags: tls_renewal
+- import_tasks: post_tasks.yml
diff --git a/tasks/post_tasks.yml b/tasks/post_tasks.yml
new file mode 100644
index 0000000..47874b3
--- /dev/null
+++ b/tasks/post_tasks.yml
@@ -0,0 +1,9 @@
+---
+- name: Ensure mosquitto service is up and running
+  systemd:
+    state: started
+    daemon_reload: yes
+    enabled: yes
+    name: mosquitto
+  become: True
+  become_user: root
diff --git a/tasks/tls.yml b/tasks/tls.yml
new file mode 100644
index 0000000..c1fff32
--- /dev/null
+++ b/tasks/tls.yml
@@ -0,0 +1,43 @@
+---
+- block:
+  - name: Create tls folder structure
+    file:
+      path: "{{ item }}"
+      state: directory
+      owner: root
+      group: root
+      recurse: True
+    with_items:
+      - "{{ mosquitto_tls_cert_path | dirname }}"
+      - "{{ mosquitto_tls_key_path | dirname }}"
+  become: True
+  become_user: root
+
+- block:
+  - name: Copy certs and private key (file)
+    copy:
+      src: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ mosquitto_tls_key_source }}", dest: '{{ mosquitto_tls_key_path }}', mode: '0600' }
+      - { src: "{{ mosquitto_tls_cert_source }}", dest: '{{ mosquitto_tls_cert_path }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    register: __mosquitto_certs_file
+    when: mosquitto_tls_source_use_files
+
+  - name: Copy certs and private key (content)
+    copy:
+      content: "{{ item.src }}"
+      dest: "{{ item.dest }}"
+      mode: "{{ item.mode }}"
+    with_items:
+      - { src: "{{ mosquitto_tls_key_source }}", dest: '{{ mosquitto_tls_key_path }}', mode: '0600' }
+      - { src: "{{ mosquitto_tls_cert_source }}", dest: '{{ mosquitto_tls_cert_path }}', mode: '0750' }
+    loop_control:
+      label: "{{ item.dest }}"
+    register: __mosquitto_certs_content
+    when: mosquitto_tls_source_use_content
+  become: True
+  become_user: "{{ mosquitto_user }}"
diff --git a/templates/etc/mosquitto/mosquitto.conf.j2 b/templates/etc/mosquitto/mosquitto.conf.j2
index a75f935..efd24c2 100644
--- a/templates/etc/mosquitto/mosquitto.conf.j2
+++ b/templates/etc/mosquitto/mosquitto.conf.j2
@@ -186,6 +186,7 @@ port {{ mosquitto_port }}
 # See also use_identity_as_username.
 #use_username_as_clientid
 
+{% if mosquitto_tls_enabled %}
 # -----------------------------------------------------------------
 # Certificate based SSL/TLS support
 # -----------------------------------------------------------------
@@ -208,15 +209,15 @@ port {{ mosquitto_port }}
 capath {{ mosquitto_ca_path }}
 
 # Path to the PEM encoded server certificate.
-#certfile
+certfile {{ mosquitto_tls_cert_file }}
 
 # Path to the PEM encoded keyfile.
-#keyfile
+keyfile {{ mosquitto_tls_key_file }}
 
 # This option defines the version of the TLS protocol to use for this listener.
 # The default value allows v1.2, v1.1 and v1.0. The valid values are tlsv1.2
 # tlsv1.1 and tlsv1.
-#tls_version
+tls_version tlsv1.2
 
 # By default a TLS enabled listener will operate in a similar fashion to a
 # https enabled web server, in that the server has a certificate signed by a CA
@@ -250,7 +251,8 @@ capath {{ mosquitto_ca_path }}
 # ciphers" command and should be provided in the same format as the output of
 # that command.
 # If unset defaults to DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
-#ciphers DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:@STRENGTH
+ciphers {{ mosquitto_tls_ciphers | join(':') }}
+{% endif %}
 
 # -----------------------------------------------------------------
 # Pre-shared-key based SSL/TLS support