diff --git a/defaults/main.yml b/defaults/main.yml
index 4ed2368..bfa39d7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,3 +2,6 @@
 nginx_open_ports:
   - 80
   - 443
+ssl_priv_key: ""
+ssl_intermediate_cert: ""
+ssl_chained_cert: ""
diff --git a/tasks/config.yml b/tasks/config.yml
index 3cdd1b6..93c5709 100644
--- a/tasks/config.yml
+++ b/tasks/config.yml
@@ -80,6 +80,30 @@
   notify:
     - nginx_restart
 
+- name: Copy ssl chained certs
+  copy:
+    content: '{{ ssl_chained_cert }}'
+    dest: /etc/pki/tls/certs/my-chained.crt
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy ssl intermediate cert
+  copy:
+    content: '{{ ssl_intermediate_cert }}'
+    dest: /etc/pki/tls/certs/my-intermediate.crt
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy ssl private key
+  copy:
+    content: '{{ ssl_priv_key }}'
+    dest: /etc/pki/tls/private/my-private.key
+    owner: root
+    group: root
+    mode: 0600
+
 - name: Open ports in iptables
   iptables_raw:
     name: allow_nginx_ports
diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2
index 57a58e4..8b22154 100644
--- a/templates/etc/nginx/conf.d/header.conf.j2
+++ b/templates/etc/nginx/conf.d/header.conf.j2
@@ -1,4 +1,5 @@
 # {{ ansible_managed }}
+# default header settings
 add_header Strict-Transport-Security max-age=63072000;
 add_header X-Frame-Options DENY;
 add_header X-Content-Type-Options nosniff;
diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2
new file mode 100644
index 0000000..19cebc3
--- /dev/null
+++ b/templates/etc/nginx/conf.d/tls.conf.j2
@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+# certificate settings
+ssl_certificate_key /etc/pki/tls/private/my-private.key;
+ssl_certificate /etc/pki/tls/certs/my-chained.crt;
+
+ssl_ciphers 'AES256+EECDH:AES256+EDH:!aNULL';
+
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_session_cache shared:SSL:10m;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_trusted_certificate /etc/pki/tls/certs/my-intermediate.crt;
+
+ssl_prefer_server_ciphers on;
+ssl_dhparam /etc/nginx/cert/dhparam.pem;