diff --git a/salt/ca/init.sls b/salt/ca/init.sls
index 4c7973cd0..88c32e12a 100644
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -58,6 +58,22 @@ cakeyperms:
     - mode: 640
     - group: 939
 
+{%   if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import'] %}
+cacertz:
+  file.managed:
+    - name: /opt/so/conf/ca/cacerts
+    - source: salt://common/cacerts
+    - user: 939
+    - group: 939
+
+capemz:
+  file.managed:
+    - name: /opt/so/conf/ca/tls-ca-bundle.pem
+    - source: salt://common/tls-ca-bundle.pem
+    - user: 939
+    - group: 939
+{%   endif %}
+
 {% else %}
 
 {{sls}}_state_not_allowed:
diff --git a/salt/elasticsearch/config.sls b/salt/elasticsearch/config.sls
index 255d09376..dcd0283c0 100644
--- a/salt/elasticsearch/config.sls
+++ b/salt/elasticsearch/config.sls
@@ -107,20 +107,6 @@ catrustdir:
     - group: 939
     - makedirs: True
 
-cacertz:
-  file.managed:
-    - name: /opt/so/conf/ca/cacerts
-    - source: salt://common/cacerts
-    - user: 939
-    - group: 939
-
-capemz:
-  file.managed:
-    - name: /opt/so/conf/ca/tls-ca-bundle.pem
-    - source: salt://common/tls-ca-bundle.pem
-    - user: 939
-    - group: 939
-
 esingestdir:
   file.directory:
     - name: /opt/so/conf/elasticsearch/ingest