diff --git a/CHANGELOG.md b/CHANGELOG.md
index bb526f88..13212732 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ fail2ban: separate task to update IP whitelist
 nginx: add tag for ips management
 nginx: separate task to update IP whitelist
 postfix: enable SSL/TLS client
+ssl: add an SSL role for certificates deployment
 
 ### Changed
 evomaintenance: update script from upstream
diff --git a/ssl/README.md b/ssl/README.md
new file mode 100644
index 00000000..d7894047
--- /dev/null
+++ b/ssl/README.md
@@ -0,0 +1,9 @@
+# ssl
+
+Deploy SSL certificate, key, dhparams and concatenate them when needed (eg. with Haproxy).
+
+## Available variables
+
+* `ssl_cert`: name of SSL certificate which is going to be deployed
+
+eg. `ssl_cert: "example.com"` deploy files/ssl/example.com.{pem|key|dhp}
diff --git a/ssl/meta/main.yml b/ssl/meta/main.yml
new file mode 100644
index 00000000..11377af9
--- /dev/null
+++ b/ssl/meta/main.yml
@@ -0,0 +1,20 @@
+galaxy_info:
+  author: Evolix
+  description: Deployment of SSL certificate, key and dhparams
+
+  issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
+
+  license: GPLv2
+
+  min_ansible_version: 2.2
+
+  platforms:
+  - name: Debian
+    versions:
+    - jessie
+    - stretch
+
+dependencies: []
+  # List your role dependencies here, one per line.
+  # Be sure to remove the '[]' above if you add dependencies
+  # to this list.
diff --git a/ssl/tasks/haproxy.yml b/ssl/tasks/haproxy.yml
new file mode 100644
index 00000000..4f99fa1d
--- /dev/null
+++ b/ssl/tasks/haproxy.yml
@@ -0,0 +1,32 @@
+---
+- name: Concatenate SSL certificate, key and dhparam
+  set_fact:
+    ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n"
+  with_fileglob:
+    - "ssl/{{ ssl_cert }}.pem"
+    - "ssl/{{ ssl_cert }}.key"
+    - "ssl/{{ ssl_cert }}.dhp"
+  tags:
+    - ssl
+
+- name: Create haproxy ssl directory
+  file:
+    dest: /etc/haproxy/ssl
+    mode: "0700"
+  tags:
+    - ssl
+
+- name: Copy concatenated certificate and key
+  copy:
+    content: "{{ ssl_cat }}"
+    dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem"
+    mode: "0600"
+  notify: reload haproxy
+  tags:
+    - ssl
+
+- name: Reset ssl_cat variable
+  set_fact:
+    ssl_cat: ""
+  tags:
+    - ssl
diff --git a/ssl/tasks/main.yml b/ssl/tasks/main.yml
new file mode 100644
index 00000000..0ce74b86
--- /dev/null
+++ b/ssl/tasks/main.yml
@@ -0,0 +1,38 @@
+---
+- name: Copy SSL certificate
+  copy:
+    src: "ssl/{{ ssl_cert }}.pem"
+    dest: "/etc/ssl/certs/{{ ssl_cert }}.pem"
+    mode: "0644"
+  register: ssl_copy_cert
+  tags:
+    - ssl
+
+- name: Copy SSL key
+  copy:
+    src: "ssl/{{ ssl_cert }}.key"
+    dest: "/etc/ssl/private/{{ ssl_cert }}.key"
+    mode: "0600"
+  register: ssl_copy_key
+  tags:
+    - ssl
+
+- name: Copy SSL dhparam
+  copy:
+     src: "ssl/{{ ssl_cert }}.dhp"
+     dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp"
+     mode: "0644"
+  register: ssl_copy_dhp
+  tags:
+    - ssl
+
+- name: Check if Haproxy is installed
+  command: dpkg -l haproxy
+  register: haproxy_check
+  check_mode: False
+  changed_when: False
+  tags:
+    - ssl
+
+- include: haproxy.yml
+  when: haproxy_check.rc == 0