diff --git a/ansible/roles/nomad_client/handlers/main.yml b/ansible/roles/nomad_client/handlers/main.yml
index 625606d..fee20a3 100644
--- a/ansible/roles/nomad_client/handlers/main.yml
+++ b/ansible/roles/nomad_client/handlers/main.yml
@@ -3,6 +3,11 @@
   systemd:
     daemon_reload: True
 
+- name: reload_nomad
+  systemd:
+    name: nomad
+    state: reloaded
+
 - name: restart_nomad
   systemd:
     name: nomad
diff --git a/ansible/roles/nomad_client/tasks/nomad.yml b/ansible/roles/nomad_client/tasks/nomad.yml
index 4df9741..0c8fc0c 100644
--- a/ansible/roles/nomad_client/tasks/nomad.yml
+++ b/ansible/roles/nomad_client/tasks/nomad.yml
@@ -85,6 +85,55 @@
     group: nomad
     remote_src: True
 
+- name: ensure nomad config dir
+  file:
+    path: /etc/nomad.d/certs/
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+  notify: reload_nomad
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/nomad.d/certs/{{ item.path }}"
+    mode: '{{ item.mode }}'
+    owner: nomad
+    group: nomad
+  when: cert_data.changed
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "nomad.pem",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "nomad.key",
+        mode: "0600"
+    }
+
 - name: ensure nomad is started and enabled
   systemd:
     name: nomad
diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2
index a643c74..c7b8dc5 100644
--- a/ansible/roles/nomad_client/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2
@@ -9,6 +9,14 @@ consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
 }
 
+tls {
+  http      = true
+  rpc       = true
+  ca_file   = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  cert_file = "/etc/nomad.d/certs/nomad.pem"
+  key_file  = "/etc/nomad.d/certs/nomad.key"
+}
+
 plugin_dir = "/opt/nomad_plugins"
 
 plugin "nomad-driver-podman" {
diff --git a/ansible/roles/nomad_server/handlers/main.yml b/ansible/roles/nomad_server/handlers/main.yml
index 625606d..fee20a3 100644
--- a/ansible/roles/nomad_server/handlers/main.yml
+++ b/ansible/roles/nomad_server/handlers/main.yml
@@ -3,6 +3,11 @@
   systemd:
     daemon_reload: True
 
+- name: reload_nomad
+  systemd:
+    name: nomad
+    state: reloaded
+
 - name: restart_nomad
   systemd:
     name: nomad
diff --git a/ansible/roles/nomad_server/tasks/main.yml b/ansible/roles/nomad_server/tasks/main.yml
index 9697510..154e1cc 100644
--- a/ansible/roles/nomad_server/tasks/main.yml
+++ b/ansible/roles/nomad_server/tasks/main.yml
@@ -65,6 +65,55 @@
     mode: 0755
   notify: restart_nomad
 
+- name: ensure nomad config dir
+  file:
+    path: /etc/nomad.d/certs/
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+  notify: reload_nomad
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/nomad.d/certs/{{ item.path }}"
+    mode: '{{ item.mode }}'
+    owner: nomad
+    group: nomad
+  when: cert_data.changed
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "nomad.pem",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "nomad.key",
+        mode: "0600"
+    }
+
 - name: ensure nomad is started and enabled
   systemd:
     name: nomad
diff --git a/ansible/roles/nomad_server/templates/nomad.hcl.j2 b/ansible/roles/nomad_server/templates/nomad.hcl.j2
index 782df9d..53984fa 100644
--- a/ansible/roles/nomad_server/templates/nomad.hcl.j2
+++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2
@@ -9,3 +9,11 @@ server {
 consul {
   token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
 }
+
+tls {
+  http      = true
+  rpc       = true
+  ca_file   = "/etc/pki/certs/{{ vault_ca_cert_name }}"
+  cert_file = "/etc/nomad.d/certs/nomad.pem"
+  key_file  = "/etc/nomad.d/certs/nomad.key"
+}