diff --git a/README.md b/README.md
index ec4694f..88e7e5e 100644
--- a/README.md
+++ b/README.md
@@ -85,6 +85,11 @@ challangeserver: []
 
 #### Selfsigned
 
+```
+# how long should the certificate be valid?
+not_after: "+3650d"
+```
+
 ## Paths
 
 Certificates are stored at a defined location:
diff --git a/defaults/main.yml b/defaults/main.yml
index 7658ade..d21ddb2 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -4,7 +4,8 @@ certificates:
       remainingdays: 28
       challange: dns-01
       challangeserver: []
-    selfsigned: ~
+    selfsigned:
+      not_after: "+3650d"
   defaults:
     country: "SU"
     province: "CYBER"
diff --git a/tasks/common_cert.yml b/tasks/common_cert.yml
index 6e29850..e0c4e6a 100644
--- a/tasks/common_cert.yml
+++ b/tasks/common_cert.yml
@@ -18,6 +18,9 @@
 - debug:
     verbosity: 1
     var: cert_backend
+- debug:
+    verbosity: 1
+    var: certificates.certs[certname]
 
 - name: "generate key for {{ certname }}"
   openssl_privatekey:
diff --git a/tasks/main.yml b/tasks/main.yml
index dfd4580..3b7bec6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -16,6 +16,10 @@
     owner: root
     group: ssl-cert
 
+- debug:
+    verbosity: 2
+    var: certificates
+
 - import_tasks: letsencrypt_setup.yml
 - include_tasks: "{{ certificates.certs[certname].backend|default(certificates.defaults.backend) }}_cert.yml"
   loop: "{{ certificates.certs.keys()|list }}"
diff --git a/tasks/selfsigned_cert.yml b/tasks/selfsigned_cert.yml
new file mode 100644
index 0000000..7c8a81f
--- /dev/null
+++ b/tasks/selfsigned_cert.yml
@@ -0,0 +1,39 @@
+- include_tasks: common_cert.yml
+
+- name: "sign certificate for {{ certname }}"
+  register: selfsignedsign
+  openssl_certificate:
+    path: "{{ cert.certpath }}"
+    privatekey_path: "{{ cert.keypath }}"
+    csr_path: "{{ cert.csrpath }}"
+    provider: selfsigned
+    selfsigned_not_after: "{{ cert_backend.not_after }}"
+
+- name: "generate concatinated versions (chain) for {{ certname }}"
+  shell: "umask 0137; cat {{ cert.certpath }} > {{ cert.chainpath }}"
+  args:
+    creates: "{{ cert.chainpath }}"
+
+- name: "set permission for concatinated versions (chain) for {{ certname }}"
+  file:
+    path: "{{ cert.chainpath }}"
+    mode: 0644
+    owner: root
+    group: ssl-cert
+
+- name: "generate concatinated versions (full) for {{ certname }}"
+  shell: "umask 0137; cat {{ cert.chainpath }} {{ cert.keypath }} > {{ cert.fullpath }}"
+  args:
+    creates: "{{ cert.fullpath }}"
+
+- name: "set permissions for concatinated versions (full) for {{ certname }}"
+  file:
+    path: "{{ cert.fullpath }}"
+    mode: 0640
+    owner: root
+    group: ssl-cert
+
+- set_fact:
+    certchanged: "{{ selfsignedsign is changed }}"
+- name: handle postflight
+  include: common_post.yml