diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf
new file mode 100644
index 000000000..95e5726f0
--- /dev/null
+++ b/salt/ca/files/signing_policies.conf
@@ -0,0 +1,14 @@
+x509_signing_policies:
+  filebeat:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca.key
+    - signing_cert: /etc/pki/ca.crt
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical keyEncipherment"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3000
+    - copypath: /etc/pki/issued_certs/
diff --git a/salt/ca/init.sls b/salt/ca/init.sls
new file mode 100644
index 000000000..8722e804a
--- /dev/null
+++ b/salt/ca/init.sls
@@ -0,0 +1,38 @@
+/etc/salt/minion.d/signing_policies.conf:
+  file.managed:
+    - source: salt://ca/files/signing_policies.conf
+
+/etc/pki:
+  file.directory: []
+
+/etc/pki/issued_certs:
+  file.directory: []
+
+/etc/pki/ca.crt:
+  x509.certificate_managed:
+    - signing_private_key: /etc/pki/ca.key
+    - CN: ca.example.com
+    - C: US
+    - ST: Utah
+    - L: Salt Lake City
+    - basicConstraints: "critical CA:true"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: 3650
+    - days_remaining: 0
+    - backup: True
+    - managed_private_key:
+        name: /etc/pki/ca.key
+        bits: 4096
+        backup: True
+    - require:
+      - file: /etc/pki
+
+mine.send:
+  module.run:
+    - func: x509.get_pem_entries
+    - kwargs:
+        glob_path: /etc/pki/ca.crt
+    - onchanges:
+      - x509: /etc/pki/ca.crt
\ No newline at end of file
diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
new file mode 100644
index 000000000..640089772
--- /dev/null
+++ b/salt/ssl/init.sls
@@ -0,0 +1,21 @@
+# Trust the CA
+/usr/local/share/ca-certificates:
+  file.directory: []
+
+/usr/local/share/ca-certificates/intca.crt:
+  x509.pem_managed:
+    - text: {{ salt['mine.get']('ca', 'x509.get_pem_entries')['ca']['/etc/pki/ca.crt']|replace('\n', '') }}
+
+# Request a cert
+/etc/pki/filebeat.crt:
+  x509.certificate_managed:
+    - ca_server: ca
+    - signing_policy: filebeat
+    - public_key: /etc/pki/filebeat.key
+    - CN: www.example.com
+    - days_remaining: 3000
+    - backup: True
+    - managed_private_key:
+        name: /etc/pki/filebeat.key
+        bits: 4096
+        backup: True
\ No newline at end of file