diff --git a/group_vars/re2o_ldap_replica.yml b/group_vars/re2o_ldap_replica.yml
index f2919b5e2eae320d298cb0740f898e96644fe25b..474f735afddfa8c18251fb466caa3eb6c82486db 100644
--- a/group_vars/re2o_ldap_replica.yml
+++ b/group_vars/re2o_ldap_replica.yml
@@ -6,3 +6,5 @@ glob_re2o_ldap_replica:
   suffix: dc=crans,dc=org
   url: "ldaps://{{ query('ldap', 'ip', 're2o-ldap', 'adm') | ipv4 | first }}:636"
   root_password_hash: "{{ vault.ldap_master_password_hash }}"
+  certificate: "{{ vault.ldap_re2o_certificate }}"
+  private_key: "{{ vault.ldap_re2o_private_key }}"
diff --git a/roles/re2o-ldap-replica/handlers/main.yml b/roles/re2o-ldap-replica/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ce4f0cdd0cef1579e24d8d8ab08ce91ca848fab5
--- /dev/null
+++ b/roles/re2o-ldap-replica/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart slapd
+  service:
+    name: slapd.service
+    state: restarted
diff --git a/roles/re2o-ldap-replica/tasks/main.yml b/roles/re2o-ldap-replica/tasks/main.yml
index e16c438f27a300f333e96307ddf8fe60f02fee7d..bbd6033a882c547db74bbc89481c5cb5e3451ef7 100644
--- a/roles/re2o-ldap-replica/tasks/main.yml
+++ b/roles/re2o-ldap-replica/tasks/main.yml
@@ -42,10 +42,10 @@
     - /etc/ldap/slapd.d
     - /var/lib/ldap
 
-- name: Copy ldiff files
+- name: Copy ldif files
   template:
-    src: 'ldap/{{ item }}.ldiff.j2'
-    dest: '/tmp/{{ item }}.ldiff'
+    src: 'ldap/{{ item }}.ldif.j2'
+    dest: '/tmp/{{ item }}.ldif'
     owner: openldap
     group: openldap
     mode: 0600
@@ -53,15 +53,16 @@
     - db
     - schema
     - consumer_simple_sync
+    - certinfo
 
 - name: Initialize re2o-ldap schema
   when: not installation.stat.exists
-  shell: slapadd -n 0 -l /tmp/schema.ldiff -F /etc/ldap/slapd.d/
+  shell: slapadd -n 0 -l /tmp/schema.ldif -F /etc/ldap/slapd.d/
   become_user: openldap
 
 - name: Initialize re2o-ldap database
   when: not installation.stat.exists
-  shell: slapadd -n 1 -l /tmp/db.ldiff
+  shell: slapadd -n 1 -l /tmp/db.ldif
   become_user: openldap
 
 - name: Start slapd
@@ -72,7 +73,30 @@
 
 - name: Enable data replication
   when: not installation.stat.exists
-  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldiff
+  shell: ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/consumer_simple_sync.ldif
+
+- name: Copy TLS certificate
+  template:
+    src: "ldap/{{ item }}.j2"
+    dest: "/etc/ldap/{{ item }}"
+    owner: openldap
+    group: openldap
+    mode: 0600
+  loop:
+    - ldap.pem
+    - ldap.key
+
+- name: Load TLS certificates
+  when: not installation.stat.exists
+  shell: ldapmodify -Y EXTERNAL -H ldapi:/// -f /tmp/certinfo.ldif
+
+- name: Enable LDAPS
+  lineinfile:
+     path: /etc/default/slapd
+     regexp: '^SLAPD_SERVICES='
+     line: 'SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"'
+  notify: Restart slapd
+  check_mode: no
 
 - name: Touch installation marker
   when: not installation.stat.exists
diff --git a/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2 b/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..9e1d6b51cfcae3eb8a8ecdb1eac1ee03986a746e
--- /dev/null
+++ b/roles/re2o-ldap-replica/templates/ldap/certinfo.ldif.j2
@@ -0,0 +1,6 @@
+dn: cn=config
+add: olcTLSCertificateFile
+olcTLSCertificateFile: /etc/ldap/ldap.pem
+-
+add: olcTLSCertificateKeyFile
+olcTLSCertificateKeyFile: /etc/ldap/ldap.key
diff --git a/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldiff.j2 b/roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
similarity index 100%
rename from roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldiff.j2
rename to roles/re2o-ldap-replica/templates/ldap/consumer_simple_sync.ldif.j2
diff --git a/roles/re2o-ldap-replica/templates/ldap/db.ldiff.j2 b/roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
similarity index 100%
rename from roles/re2o-ldap-replica/templates/ldap/db.ldiff.j2
rename to roles/re2o-ldap-replica/templates/ldap/db.ldif.j2
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1dc6da0ca8f682be4727c0395fb680fad31cbc81
--- /dev/null
+++ b/roles/re2o-ldap-replica/templates/ldap/ldap.key.j2
@@ -0,0 +1 @@
+{{ re2o_ldap_replica.private_key }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2 b/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
new file mode 100644
index 0000000000000000000000000000000000000000..71d67e1ab8360ed865a8ea1b3868930d25089a1d
--- /dev/null
+++ b/roles/re2o-ldap-replica/templates/ldap/ldap.pem.j2
@@ -0,0 +1 @@
+{{ re2o_ldap_replica.certificate }}
diff --git a/roles/re2o-ldap-replica/templates/ldap/schema.ldiff.j2 b/roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2
similarity index 100%
rename from roles/re2o-ldap-replica/templates/ldap/schema.ldiff.j2
rename to roles/re2o-ldap-replica/templates/ldap/schema.ldif.j2