diff --git a/packer/ansible/roles/auth/files/ldapca.pem b/packer/ansible/roles/auth/files/ldapca.pem
new file mode 100644
index 0000000..e3ab2d4
--- /dev/null
+++ b/packer/ansible/roles/auth/files/ldapca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID5jCCAs6gAwIBAgIJAPtqBuTAclYRMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
+VQQGEwJERTEQMA4GA1UECAwHQmF2YXJpYTEWMBQGA1UEBwwNQmFkIFdpbmRzaGVp
+bTETMBEGA1UECgwKRmFiTGFiIE5FQTEWMBQGA1UEAwwNZmFibGFiLW5lYS5kZTEh
+MB8GCSqGSIb3DQEJARYSaW5mb0BmYWJsYWItbmVhLmRlMB4XDTE4MDUxNzE3NDIz
+OFoXDTI4MDIxNDE3NDIzOFowgYcxCzAJBgNVBAYTAkRFMRAwDgYDVQQIDAdCYXZh
+cmlhMRYwFAYDVQQHDA1CYWQgV2luZHNoZWltMRMwEQYDVQQKDApGYWJMYWIgTkVB
+MRYwFAYDVQQDDA1mYWJsYWItbmVhLmRlMSEwHwYJKoZIhvcNAQkBFhJpbmZvQGZh
+YmxhYi1uZWEuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD8ldQ
+/azjfG6yUPi86f9adQxy4kV/MjSu+VViHILPBYwByB9FpJ9vp6kpTZpWpRk1NHqS
+YYc4MwYNo/bi2hO+b6ZP3D5OGnLdud6X0zHAH9751Svw/4y9CY5a/WrAp/TND7M0
+wpi7SpyMJdJpuPGa53s6hGjIfcFwpF4TJD3UJJZsXghsOsKpq13JRiERZ1BGOJJD
+HPzr6BdWdH40IakNa7PS+ZFdHJ2qTTBinZIjc4lOe5WRK6ZmAB5kZpv3h8vxgpqu
+E6c0IlBu8U+0yQXdxhw98xJ5jwknANROaEWSBqR8tD1LAIARAEbTYWmkmdULnPz3
+Kq86PzZ9ac/vh86TAgMBAAGjUzBRMB0GA1UdDgQWBBRESu5pvADeGZ5BRGep+5g0
+OkulezAfBgNVHSMEGDAWgBRESu5pvADeGZ5BRGep+5g0OkulezAPBgNVHRMBAf8E
+BTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCF5nZ/FORMg9ug+kAWTT4NQMt7YALg
+VCYWg34xWLU7Tk9O6yAoa5O+SABYXIr0oNU7mdqZPeOKTNpOQOeg1RyXB74g3wrP
+gKRjbG3vWG53FLuNfeEhC0hC1ThFy2mXsIvgW0Q+29PoCeipT8Q62/UDx4CZkZBO
+uVJ+jjl7WH/MJJWMJXCxDvqyM12MqlLCkfxiVnRD5XNHRRoVK3gHI07FVnTVEjIb
+SQCsn1DtCJG27xbizLuf1ipYwLvLm+zPKBs6pVqqT6oDbgltaDqzg1dvAZuk4XX8
+DcW65+UEiDe7xXmYUREj0E7FvCNHNY2xZPHGEUUbIOvNZmj836gS1/fR
+-----END CERTIFICATE-----
diff --git a/packer/ansible/roles/auth/tasks/ldap.yml b/packer/ansible/roles/auth/tasks/ldap.yml
index aab6498..dd8926e 100644
--- a/packer/ansible/roles/auth/tasks/ldap.yml
+++ b/packer/ansible/roles/auth/tasks/ldap.yml
@@ -4,6 +4,12 @@
     name: "libnss-ldapd"
     state: present
 
+# TODO: remove this step and switch to Let’s encrypt
+- name: add ldap ca cert
+  copy:
+    src: ldapca.pem
+    dest: /etc/ssl/certs/ldapca.pem
+
 - name: add ldap global config
   template:
     src: ldap.conf.j2
diff --git a/packer/ansible/roles/auth/templates/ldap.conf.j2 b/packer/ansible/roles/auth/templates/ldap.conf.j2
index 71964af..5a83fd4 100644
--- a/packer/ansible/roles/auth/templates/ldap.conf.j2
+++ b/packer/ansible/roles/auth/templates/ldap.conf.j2
@@ -4,3 +4,7 @@ URI	{{ auth.ldap.protocol }}://{{ auth.ldap.server }}
 #SIZELIMIT	12
 #TIMELIMIT	15
 #DEREF		never
+
+# TLS certificates
+# TODO: replace/omit to use system bundle and Let’s encrypt
+TLS_CACERT	/etc/ssl/certs/ldapca.pem
diff --git a/packer/ansible/roles/auth/templates/nslcd.conf.j2 b/packer/ansible/roles/auth/templates/nslcd.conf.j2
index 518d7c5..63f0010 100644
--- a/packer/ansible/roles/auth/templates/nslcd.conf.j2
+++ b/packer/ansible/roles/auth/templates/nslcd.conf.j2
@@ -21,6 +21,8 @@ base {{ auth.ldap.base }}
 # SSL options
 ssl start_tls
 #tls_reqcert never
+# TODO: replace with system bundle for Let’s encrypt usage
+tls_cacertfile /etc/ssl/certs/ldapca.pem
 
 # The search scope.
 #scope sub