diff --git a/salt/ca/init.sls b/salt/ca/init.sls
index 88c32e12a..4c7973cd0 100644
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -58,22 +58,6 @@ cakeyperms:
     - mode: 640
     - group: 939
 
-{%   if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
-cacertz:
-  file.managed:
-    - name: /opt/so/conf/ca/cacerts
-    - source: salt://common/cacerts
-    - user: 939
-    - group: 939
-
-capemz:
-  file.managed:
-    - name: /opt/so/conf/ca/tls-ca-bundle.pem
-    - source: salt://common/tls-ca-bundle.pem
-    - user: 939
-    - group: 939
-{%   endif %}
-
 {% else %}
 
 {{sls}}_state_not_allowed:
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index ec807e6aa..ca23179b7 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -35,6 +35,22 @@ include:
     {% set ca_server = global_ca_server[0] %}
 {% endif %}
 
+{% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %}
+cacertz:
+  file.managed:
+    - name: /opt/so/conf/ca/cacerts
+    - source: salt://common/cacerts
+    - user: 939
+    - group: 939
+
+capemz:
+  file.managed:
+    - name: /opt/so/conf/ca/tls-ca-bundle.pem
+    - source: salt://common/tls-ca-bundle.pem
+    - user: 939
+    - group: 939
+{% endif %}
+
 # Trust the CA
 trusttheca:
   x509.pem_managed: