diff --git a/README.md b/README.md
index de7aad6..16fbfe8 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,9 @@ maps: {}
 # force all traffic on ssl, except letsencrypt challenges
 force_ssl: True
 
+# generate a self signed certificate as default ssl cert
+snakeoil_default: False
+
 # install php-fpm, setup a php-handler upstream and copy a php location snippet to include in configs
 # either "False", "True" or a dict *phpconfig*, see below for definition
 php: False
diff --git a/defaults/main.yml b/defaults/main.yml
index 6c5edcc..bfff1c4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,7 @@ nginx:
   monitoring: true
   php: false
   force_ssl: true
+  snakeoil_default: false
   upstreams: {}
   vhosts: {}
   maps: {}
diff --git a/tasks/main.yml b/tasks/main.yml
index c21ea5c..d9702b6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -8,7 +8,7 @@
     name: certificates
   vars:
     certificates:
-      certs: "{{ {}|combine(selfsigned_cert|from_yaml,  nginx_certs, inventory_certs, recursive=True) }}"
+      certs: "{{ {}|combine( (selfsigned_cert|from_yaml if nginx.snakeoil_default else {}),  nginx_certs, inventory_certs, recursive=True) }}"
 
 - debug:
     verbosity: 1