diff --git a/files/setup-le.sh b/files/setup-le.sh
new file mode 100644
index 0000000..811f056
--- /dev/null
+++ b/files/setup-le.sh
@@ -0,0 +1,24 @@
+FQDN=$(hostname -f)
+mkdir -p "/etc/ssl/$FQDN"
+
+#get x1 root
+curl -o  "/etc/ssl/$FQDN/x1.der" "https://x1.i.lencr.org"
+openssl x509 -inform der -in /etc/ssl/$FQDN/x1.der -out /etc/ssl/$FQDN/x1.pem
+
+#get x2 root
+curl -o  "/etc/ssl/$FQDN/x2.der" "https://x2.i.lencr.org"
+openssl x509 -inform der -in /etc/ssl/$FQDN/x2.der -out /etc/ssl/$FQDN/x2.pem
+
+#get issuer
+openssl x509 -noout -text -in crt.pem  | grep i.lencr.org | grep -Po http.+
+issuer=`openssl x509 -noout -text -in /etc/letsencrypt/live/$FQDN/fullchain.pem | grep Issuer | grep Encrypt | grep -Po "(?<=CN=).*" | tr '[:upper:]' '[:lower:]'`
+
+curl -o  "/etc/ssl/$FQDN/$issuer.der" "https://$issuer.i.lencr.org"
+openssl x509 -inform der -in /etc/ssl/$FQDN/$issuer.der -out /etc/ssl/$FQDN/$issuer.pem
+
+
+ipa-cacert-manage install "/etc/ssl/$FQDN/x1.pem"
+ipa-cacert-manage install "/etc/ssl/$FQDN/x2.pem"
+ipa-cacert-manage install "/etc/ssl/$FQDN/$issuer.pem"
+
+ipa-certupdate
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index ab0b754..0ecb4f2 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -25,6 +25,11 @@
     src: files/replicate.sh
     dest: /scripts/replicate.sh
 
+- name: deploy letsencrypt setup script
+  ansible.builtin.copy:
+    src: files/setup-le.sh
+    dest: /scripts/setup-le.sh
+
 #this should be moved to dedicated selinux role down the road
 - name: Disable SELinux
   ansible.posix.selinux: