diff --git a/salt/filebeat/init.sls b/salt/filebeat/init.sls
index 5dc537f6d..7574095dc 100644
--- a/salt/filebeat/init.sls
+++ b/salt/filebeat/init.sls
@@ -30,15 +30,15 @@ filebeatconfsync:
     - group: 0
     - template: jinja
 
-filebeatcrt:
-  file.managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
-    - source: salt://filebeat/files/filebeat.crt
+#filebeatcrt:
+#  file.managed:
+#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
+#    - source: salt://filebeat/files/filebeat.crt
 
-filebeatkey:
-  file.managed:
-    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - source: salt://filebeat/files/filebeat.key
+#filebeatkey:
+#  file.managed:
+#    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+#    - source: salt://filebeat/files/filebeat.key
 
 
 so-filebeat:
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 97f57d514..086ddb263 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -61,4 +61,20 @@ fbcrtlink:
         bits: 4096
         backup: True
 
+{% endif %}
+{% if grains['role'] == 'so-sensor' %}
+# Request a cert and drop it where it needs to go to be distributed
+/opt/so/conf/filebeat/etc/pki/filebeat.crt:
+  x509.certificate_managed:
+    - ca_server: {{ master }}
+    - signing_policy: filebeat
+    - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - CN: {{ master }}
+    - days_remaining: 3000
+    - backup: True
+    - managed_private_key:
+        name: /opt/so/conf/filebeat/etc/pki/filebeat.key
+        bits: 4096
+        backup: True
+
 {% endif %}
\ No newline at end of file