diff --git a/README.md b/README.md
index 614ce5c..2788fe0 100644
--- a/README.md
+++ b/README.md
@@ -145,6 +145,8 @@ Note that this functionality requires at least Cockpit version 257, i.e. RHEL 
 
 ### Generate a new certificate
 
+#### Generate a new certificate in the playbook
+
 For generating a new certificate for Cockpit it is recommended to use the [linux-system-roles.certificate role](https://github.com/linux-system-roles/certificate/). If your machines are joined to a FreeIPA domain, or you use certmonger in a different mode already, generate a certificate with:
 
 ```yaml
@@ -170,6 +172,35 @@ You can also use `ca: self-sign` or `ca: local` depending on your certmonger usa
 
 Note that this does *not* work on RHEL/CentOS 7.
 
+#### Generate a new certificate in the role
+
+You can also use the `certificate` role inside the `cockpit` role to create
+certificates by providing `cockpit_certificates`.
+
+Use the `cockpit_certificates` variable to generate certificate and private key
+for TLS encryption using the `fedora.linux_system_roles.certificate`.
+
+The value of `cockpit_certificates` is set to the variable `certificate_requests`
+defined in the `certificate` role.
+For more information, see the `certificate_requests` section in the `certificate`
+role documentation.
+
+When you set `cockpit_certificates`, you must not set `cockpit_private_key` and
+`cockpit_cert` variables.
+
+This example installs the Cockpit with the Cockpit web server certificate.
+```yaml
+    - name: Install cockpit with Cockpit web server certificate
+      include_role:
+        name: linux-system-roles.cockpit
+      vars:
+        cockpit_certificates:
+          - name: monger-cockpit
+            dns: ['localhost', 'www.example.com']
+            ca: ipa
+            group: cockpit-ws
+```
+
 ## Example Playbooks
 The most simple example.
 ```yaml
diff --git a/defaults/main.yml b/defaults/main.yml
index 5fccdb0..04f8651 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -23,3 +23,6 @@ cockpit_manage_firewall: no
 
 # If yes, manage the cockpit ports using the selinux role.
 cockpit_manage_selinux: no
+
+# pass to the certificate_requests variable of the certificate role.
+cockpit_certificates: []
diff --git a/tasks/main.yml b/tasks/main.yml
index aee7476..697b6bb 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -79,6 +79,23 @@
   when: cockpit_config is defined
   notify: restart cockpit
 
+- name: Create certificates
+  when:
+    - cockpit_certificates | length > 0
+    - ansible_facts['os_family'] == 'RedHat'
+  block:
+    - name: Create certificates using the certificate role
+      include_role:
+        name: fedora.linux_system_roles.certificate
+      vars:
+        __cert_name: "{{ cockpit_certificates.0.name  | basename }}"
+        certificate_requests: "{{ cockpit_certificates }}"
+
+    - name: Set cockpit_cert and cockpit_private_key
+      set_fact:
+        cockpit_cert: "/etc/pki/tls/certs/{{ cockpit_certificates.0.name }}.crt"
+        cockpit_private_key: "/etc/pki/tls/private/{{ cockpit_certificates.0.name }}.key"
+
 - name: Link to configured existing certificate
   file:
     src: "{{ cockpit_cert }}"
diff --git a/tests/tests_certificate2.yml b/tests/tests_certificate2.yml
new file mode 100644
index 0000000..2cee09c
--- /dev/null
+++ b/tests/tests_certificate2.yml
@@ -0,0 +1,62 @@
+---
+- name: Install cockpit
+  hosts: all
+  vars:
+    cockpit_packages: minimal
+    cockpit_certificates:
+      - name: cockpit_cert
+        dns: ['localhost', 'www.example.com']
+        ca: self-sign
+        group: cockpit-ws
+  roles:
+    - linux-system-roles.cockpit
+
+- name: Verify self-signed certmonger certificate created by the certificate role
+  hosts: all
+  vars:
+    cert_name: cockpit_cert
+  tasks:
+    - name: tests
+      block:
+        - name: Collect installed package versions
+          package_facts:
+
+        - name: Check if cockpit is new enough (at least 211) to support certmonger
+          when: ansible_facts.packages['cockpit-ws'][0].version | int >= 211
+          block:
+            #
+            # Validate installation
+            #
+            - name: test - cockpit works with TLS and expected certificate
+              command:
+                cmd: curl --cacert "/etc/pki/tls/certs/{{ cert_name }}.crt" https://localhost:9090
+                # ansible 2.11's uri module has ca_path, but that's still too new for us
+                warn: false
+              changed_when: false
+
+            - name: test - get certmonger tracking status
+              command: getcert list  --tracking-only -f "/etc/pki/tls/certs/{{ cert_name }}.crt"
+              register: result
+              changed_when: false
+
+            - name: test - ensure certificate generation succeeded
+              assert:
+                that: "'status: MONITORING' in result.stdout"
+
+            - name: test - clean up tracked certificate
+              command: getcert stop-tracking -f "/etc/pki/tls/certs/{{ cert_name }}.crt"
+              changed_when: false
+
+      always:
+        - name: test - clean up generated certificate
+          file:
+            path: "/etc/pki/tls/certs/{{ cert_name }}.crt"
+            state: absent
+
+        - name: test - clean up generated private key
+          file:
+            path: "/etc/pki/tls/private/{{ cert_name }}.key"
+            state: absent
+
+        - name: test - generic cleanup
+          include_tasks: tasks/cleanup.yml