diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf
index 04724ef70..a6ecdd4c3 100644
--- a/salt/ca/files/signing_policies.conf
+++ b/salt/ca/files/signing_policies.conf
@@ -51,3 +51,16 @@ x509_signing_policies:
     - authorityKeyIdentifier: keyid,issuer:always
     - days_valid: 3000
     - copypath: /etc/pki/issued_certs/
+  fleet:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3000
+    - copypath: /etc/pki/issued_certs/
diff --git a/salt/fleet/init.sls b/salt/fleet/init.sls
index abb1828c8..5dbcea390 100644
--- a/salt/fleet/init.sls
+++ b/salt/fleet/init.sls
@@ -1,3 +1,6 @@
+{%- set FLEETPASS = salt['pillar.get']('master:fleetpass', 'bazinga') -%}
+{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
+
 # Fleet Setup
 fleetcdir:
   file.directory:
@@ -5,3 +8,24 @@ fleetcdir:
     - user: 939
     - group: 939
     - makedirs: True
+
+so-fleet:
+  docker_container.running:
+    - image: kolide/fleet
+    - hostname: so-fleet
+    - user: socore
+    - port_bindings:
+      - 0.0.0.0:8080:8080
+    - environment:
+      - KOLIDE_MYSQL_ADDRESS={{ MASTERIP }}:3306
+      - KOLIDE_MYSQL_DATABASE=fleet
+      - KOLIDE_MYSQL_USERNAME=fleetdbuser
+      - KOLIDE_MYSQL_PASSWORD={{ FLEETPASS }}
+      - KOLIDE_REDIS_ADDRESS={{ MASTERIP }}:6379
+      - KOLIDE_SERVER_CERT=/tmp/server.cert
+      - KOLIDE_SERVER_KEY=/tmp/server.key
+      - KOLIDE_LOGGING_JSON=true
+    - binds:
+      - /opt/so/conf/fleet/etc:/ssl:ro
+    - watch:
+      - /opt/so/conf/fleet/etc
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 8a8d9309a..12ab3a9c7 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -92,6 +92,20 @@ fbcrtlink:
         bits: 4096
         backup: True
 
+# Create a cert for OSQuery
+/etc/pki/fleet.crt:
+  x509.certificate_managed:
+    - ca_server: {{ master }}
+    - signing_policy: fleet
+    - public_key: /etc/pki/fleet.key
+    - CN: {{ master }}
+    - days_remaining: 3000
+    - backup: True
+    - managed_private_key:
+        name: /etc/pki/fleet.key
+        bits: 4096
+        backup: True
+
 {% endif %}
 {% if grains['role'] == 'so-SENSOR' or grains['role'] == 'so-eval' %}