diff --git a/playbooks/init-credentials.yml b/playbooks/init-credentials.yml
index 555b0ba4c0967a9e6645ab0732821dc7a9ac075c..eb107d0a01b4d9fc92c29951dd2f30f4dfb07ffe 100644
--- a/playbooks/init-credentials.yml
+++ b/playbooks/init-credentials.yml
@@ -53,5 +53,9 @@
     - name: Generate global DH params
       local_action: command openssl dhparam -out "{{ credentials_dir }}/x509/dhparam" "{{ dhparam_bits | default('2048') }}" creates="{{ credentials_dir }}/x509/dhparam"
 
+    - set_fact:
+        default_x509_ca_list:
+          - {tag: x509}
     - name: Generate the X509 CA certificate
-      local_action: x509_ca ca_subject="{{ x509_ca_subject | default('CN=Service CA') }}" ca_cert_path="{{ credentials_dir }}/x509/ca.pem" ca_key_path="{{ credentials_dir }}/x509/ca_private_key.pem"
+      local_action: x509_ca ca_subject="{{ item.subject | default('CN=Service CA') }}" ca_cert_path="{{ credentials_dir }}/{{ item.tag }}/ca.pem" ca_key_path="{{ credentials_dir }}/{{ item.tag }}/ca_private_key.pem"
+      loop: "{{ x509_ca_list | default(default_x509_ca_list) }}"
diff --git a/roles/float-util-credentials/tasks/main.yml b/roles/float-util-credentials/tasks/main.yml
index 0f18cd21c7828e5eb327d684b38069f9b26c9e10..b7cf1fe8446feba87c3ae0db84af9dc65386f09c 100644
--- a/roles/float-util-credentials/tasks/main.yml
+++ b/roles/float-util-credentials/tasks/main.yml
@@ -19,8 +19,6 @@
 - set_fact:
     # Default CA name.
     default_ca_tag: "{{ ca_tag | default('x509') }}"
-    # Select the local CA.
-    effective_local_ca_path: "{{ local_ca_path | default(credentials_dir + '/' + (ca_tag | default('x509'))) }}"
     # Get the credential names from the list of certs.
     credentials_names: "{{ credentials | map(attribute='credentials') | map(attribute='name') | unique | list }}"
 
@@ -38,7 +36,7 @@
 
 - name: Copy CA
   copy:
-    src: "{{ effective_local_ca_path }}/ca.pem"
+    src: "{{ local_ca_path | default(credentials_dir + '/' + (item.credentials.ca_tag | default(default_ca_tag))) }}/ca.pem"
     dest: "/etc/credentials/{{ item.credentials.ca_tag | default(default_ca_tag) }}/{{ item.credentials.name }}/ca.pem"
     owner: root
     group: root
@@ -86,8 +84,8 @@
       x509_sign:
         csr: "{{ item.1.csr }}"
         mode: "{{ item.0.mode }}"
-        ca_cert_path: "{{ effective_local_ca_path }}/ca.pem"
-        ca_key_path: "{{ effective_local_ca_path }}/ca_private_key.pem"
+        ca_cert_path: "{{ local_ca_path | default(credentials_dir + '/' + (item.0.credentials.ca_tag | default(default_ca_tag))) }}/ca.pem"
+        ca_key_path: "{{ local_ca_path | default(credentials_dir + '/' + (item.0.credentials.ca_tag | default(default_ca_tag))) }}/ca_private_key.pem"
       when: "item.1.changed"
       loop: "{{ credentials | zip(x509_csr.results) | list }}"
       register: x509_sign