diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index 748853b..03b1b83 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -22,5 +22,47 @@ class confdroid_postgresql::main::files (
       content  => template('confdroid_postgresql/postgresql.conf.erb'),
       notify   => Service[$pl_service],
     }
+    if $pl_ssl_enabled == true {
+      # manage tls certs
+      ## ca.crt
+      file { $pl_ca_crt_file:
+        ensure   => file,
+        owner    => 'postgres',
+        group    => 'postgres',
+        mode     => '0400',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => postgresql_db_t,
+        seluser  => unconfined_u,
+        content  => template($pl_ca_crt_erb),
+        notify   => Service[$pl_service],
+      }
+      ## server.crt
+      file { $pl_server_crt_file:
+        ensure   => file,
+        owner    => 'postgres',
+        group    => 'postgres',
+        mode     => '0400',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => postgresql_db_t,
+        seluser  => unconfined_u,
+        content  => template($pl_server_crt_erb),
+        notify   => Service[$pl_service],
+      }
+      ## server.key
+      file { $pl_server_key_file:
+        ensure   => file,
+        owner    => 'postgres',
+        group    => 'postgres',
+        mode     => '0400',
+        selrange => s0,
+        selrole  => object_r,
+        seltype  => postgresql_db_t,
+        seluser  => unconfined_u,
+        content  => template($pl_server_key_erb),
+        notify   => Service[$pl_service],
+      }
+    }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 473c40d..4f03388 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -97,6 +97,12 @@ class confdroid_postgresql::params (
   $pl_bouncer_auth_file     = "${pl_bouncer_dir}/userlist.txt"
   $pl_bouncer_auth_erb      = 'confdroid_postgresql/server/bouncer/bouncer_users.erb'
   $pl_bouncer_rule_erb      = 'confdroid_postgresql/server/bouncer/bouncer_rule.erb'
+  $pl_ca_crt_file           = "${pl_data_dir}/ca.crt"
+  $pl_ca_crt_erb            = 'confdroid_postgresql/server/ca.crt.erb'
+  $pl_server_crt_file       = "${pl_data_dir}/server.crt"
+  $pl_server_crt_erb        = 'confdroid_postgresql/server/server.crt.erb'
+  $pl_server_key_file       = "${pl_data_dir}/server.key"
+  $pl_server_key_erb        = 'confdroid_postgresql/server/server.key.erb'
 
   # Service
   $pl_service               = 'postgresql'
diff --git a/templates/postgresql.conf.erb b/templates/postgresql.conf.erb
index b6952da..f316232 100644
--- a/templates/postgresql.conf.erb
+++ b/templates/postgresql.conf.erb
@@ -108,9 +108,9 @@ shared_preload_libraries = '<%= @reqpackages_extensions %>'
 
 <% if @pl_ssl_enabled == true -%>
 ssl 		= on
-ssl_ca_file 	= '<%= @pl_data_dir %><%= @pl_ca_crt -%>'
-ssl_cert_file 	= '<%= @pl_data_dir %><%= @pl_server_crt -%>'
-ssl_key_file 	= '<%= @pl_data_dir %><%= @pl_server_key -%>'
+ssl_ca_file 	= '<%= @pl_data_dir %>ca.crt'
+ssl_cert_file 	= '<%= @pl_data_dir %>server.crt'
+ssl_key_file 	= '<%= @pl_data_dir %>server.key'
 <% end -%>
 <% if @pl_ssl_enabled != true -%>
 ssl = off
diff --git a/templates/server/ca.crt.erb b/templates/server/ca.crt.erb
new file mode 100644
index 0000000..0a2aaa4
--- /dev/null
+++ b/templates/server/ca.crt.erb
@@ -0,0 +1 @@
+<%= @pl_ca_crt %>
\ No newline at end of file
diff --git a/templates/server/server.crt.erb b/templates/server/server.crt.erb
new file mode 100644
index 0000000..b46eef8
--- /dev/null
+++ b/templates/server/server.crt.erb
@@ -0,0 +1 @@
+<%= @pl_server_crt %>
\ No newline at end of file
diff --git a/templates/server/server.key.erb b/templates/server/server.key.erb
new file mode 100644
index 0000000..4f6e00d
--- /dev/null
+++ b/templates/server/server.key.erb
@@ -0,0 +1 @@
+<%= @pl_server_key %>
\ No newline at end of file