diff --git a/playbooks/init-credentials.yml b/playbooks/init-credentials.yml
index eb107d0a01b4d9fc92c29951dd2f30f4dfb07ffe..6c02e0ebaa9267eff1a2cd58bf2be118976ae113 100644
--- a/playbooks/init-credentials.yml
+++ b/playbooks/init-credentials.yml
@@ -28,7 +28,6 @@
         - dnssec
         - ssh
         - sso
-        - x509
 
     # First of all, generate secrets from the passwords.yml file.
     - name: Initialize secrets
@@ -50,12 +49,17 @@
     - name: Generate SSO credentials
       local_action: ed25519 privkey="{{ credentials_dir }}/sso/secret.key" pubkey="{{ credentials_dir }}/sso/public.key"
 
-    - name: Generate global DH params
-      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam"
-
     - set_fact:
         default_x509_ca_list:
           - {tag: x509}
+
+    - name: Create X509 CA directory
+      local_action: file path="{{ credentials_dir }}/{{ item.tag }}" state=directory
+      loop: "{{ x509_ca_list | default(default_x509_ca_list) }}"
+
     - name: Generate the X509 CA certificate
       local_action: x509_ca ca_subject="{{ item.subject | default('CN=Service CA') }}" ca_cert_path="{{ credentials_dir }}/{{ item.tag }}/ca.pem" ca_key_path="{{ credentials_dir }}/{{ item.tag }}/ca_private_key.pem"
       loop: "{{ x509_ca_list | default(default_x509_ca_list) }}"
+
+    - name: Generate global DH params
+      local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam"