diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 854628949..72fc6c9a4 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -662,31 +662,27 @@ elastickeyperms:
     - mode: 640
     - group: 930
 
-{%- endif %}
-
-{% if grains['role'] in ['so-manager', 'so-receiver', 'so-searchnode'] %}
-
-kafka_key:
+kafka_logstash_key:
   x509.private_key_managed:
-    - name: /etc/pki/kafka.key
+    - name: /etc/pki/kafka-logstash.key
     - keysize: 4096
     - backup: True
     - new: True
-    {% if salt['file.file_exists']('/etc/pki/kafka.key') -%}
+    {% if salt['file.file_exists']('/etc/pki/kafka-logstash.key') -%}
     - prereq:
-      - x509: /etc/pki/kafka.crt
+      - x509: /etc/pki/kafka-logstash.crt
     {%- endif %}
     - retry:
         attempts: 5
         interval: 30
 
-kafka_crt:
+kafka_logstash_crt:
   x509.certificate_managed:
-    - name: /etc/pki/kafka.crt
+    - name: /etc/pki/kafka-logstash.crt
     - ca_server: {{ ca_server }}
     - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
     - signing_policy: kafka
-    - private_key: /etc/pki/kafka.key
+    - private_key: /etc/pki/kafka-logstash.key
     - CN: {{ GLOBALS.hostname }}
     - days_remaining: 0
     - days_valid: 820
@@ -696,9 +692,37 @@ kafka_crt:
         attempts: 5
         interval: 30
   cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:changeit"
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:changeit"
     - onchanges:
-      - x509: /etc/pki/kafka.key
+      - x509: /etc/pki/kafka-logstash.key
+
+kafka_logstash_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/kafka-logstash.key
+    - mode: 640
+    - user: 960
+    - group: 939
+
+kafka_logstash_crt_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/kafka-logstash.crt
+    - mode: 640
+    - user: 960
+    - group: 939
+
+kafka_logstash_pkcs12_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/kafka-logstash.p12
+    - mode: 640
+    - user: 960
+    - group: 931
+
+{%- endif %}
+
+{% if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone'] %}
 
 elasticfleet_kafka_key:
   x509.private_key_managed:
@@ -734,41 +758,30 @@ elasticfleet_kafka_crt:
   - onchanges:
     - x509: elasticfleet_kafka_key
 
-kafka_logstash_key:
-  x509.private_key_managed:
-    - name: /etc/pki/kafka-logstash.key
-    - keysize: 4096
-    - backup: True
-    - new: True
-    {% if salt['file.file_exists']('/etc/pki/kafka-logstash.key') -%}
-    - prereq:
-      - x509: /etc/pki/kafka-logstash.crt
-    {%- endif %}
-    - retry:
-        attempts: 5
-        interval: 30
+elasticfleet_kafka_cert_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.crt
+    - mode: 640
+    - user: 960
+    - group: 939
 
-kafka_logstash_crt:
-  x509.certificate_managed:
-    - name: /etc/pki/kafka-logstash.crt
-    - ca_server: {{ ca_server }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
-    - signing_policy: kafka
-    - private_key: /etc/pki/kafka-logstash.key
-    - CN: {{ GLOBALS.hostname }}
-    - days_remaining: 0
-    - days_valid: 820
-    - backup: True
-    - timeout: 30
-    - retry:
-        attempts: 5
-        interval: 30
-  cmd.run:
-    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:changeit"
-    - onchanges:
-      - x509: /etc/pki/kafka-logstash.key
+elasticfleet_kafka_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.key
+    - mode: 640
+    - user: 960
+    - group: 939
+
+elasticfleet_kafka_pkcs8_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/elasticfleet-kafka.p8
+    - mode: 640
+    - user: 960
+    - group: 939
 
-{%   if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-receiver'] %}
 kafka_client_key:
   x509.private_key_managed:
     - name: /etc/pki/kafka-client.key
@@ -814,8 +827,44 @@ kafka_client_crt_perms:
     - mode: 640
     - user: 960
     - group: 939
-{%   endif %}
 
+{% endif %}
+
+{% if grains['role'] in ['so-manager', 'so-managersearch','so-receiver', 'so-standalone'] %}
+
+kafka_key:
+  x509.private_key_managed:
+    - name: /etc/pki/kafka.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/kafka.key') -%}
+    - prereq:
+      - x509: /etc/pki/kafka.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+kafka_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/kafka.crt
+    - ca_server: {{ ca_server }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - signing_policy: kafka
+    - private_key: /etc/pki/kafka.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka.key -in /etc/pki/kafka.crt -export -out /etc/pki/kafka.p12 -nodes -passout pass:changeit"
+    - onchanges:
+      - x509: /etc/pki/kafka.key
 kafka_key_perms:
   file.managed:
     - replace: False
@@ -832,6 +881,51 @@ kafka_crt_perms:
     - user: 960
     - group: 939
 
+kafka_pkcs12_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/kafka.p12
+    - mode: 640
+    - user: 960
+    - group: 939
+
+{% endif %}
+{# For automated testing standalone will need kafka-logstash key to pull logs from Kafka #}
+{% if grains['role'] == 'so-standalone' %}
+kafka_logstash_key:
+  x509.private_key_managed:
+    - name: /etc/pki/kafka-logstash.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/kafka-logstash.key') -%}
+    - prereq:
+      - x509: /etc/pki/kafka-logstash.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+kafka_logstash_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/kafka-logstash.crt
+    - ca_server: {{ ca_server }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - signing_policy: kafka
+    - private_key: /etc/pki/kafka-logstash.key
+    - CN: {{ GLOBALS.hostname }}
+    - days_remaining: 0
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+  cmd.run:
+    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/kafka-logstash.key -in /etc/pki/kafka-logstash.crt -export -out /etc/pki/kafka-logstash.p12 -nodes -passout pass:changeit"
+    - onchanges:
+      - x509: /etc/pki/kafka-logstash.key
+
 kafka_logstash_key_perms:
   file.managed:
     - replace: False
@@ -855,39 +949,8 @@ kafka_logstash_pkcs12_perms:
     - mode: 640
     - user: 960
     - group: 931
-
-elasticfleet_kafka_pkcs8_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.p8
-    - mode: 640
-    - user: 960
-    - group: 939
-
-kafka_pkcs12_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/kafka.p12
-    - mode: 640
-    - user: 960
-    - group: 939
-
-elasticfleet_kafka_cert_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.crt
-    - mode: 640
-    - user: 960
-    - group: 939
-
-elasticfleet_kafka_key_perms:
-  file.managed:
-    - replace: False
-    - name: /etc/pki/elasticfleet-kafka.key
-    - mode: 640
-    - user: 960
-    - group: 939
 {% endif %}
+
 {% else %}
 
 {{sls}}_state_not_allowed: