diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d09cfdb2..b1ebb790 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -75,6 +75,9 @@ jobs:
       - name: Run deployment
         run: |
           ./foremanctl deploy --certificate-source=${{ matrix.certificate_source }} --foreman-initial-admin-password=changeme
+      - name: Generate certificate bundle for second system
+        run: |
+          ./foremanctl certificate-bundle --certificate-source=${{ matrix.certificate_source }} proxy.example.com
       - name: Setup hammer
         run: |
           ./foremanctl setup-hammer
diff --git a/src/playbooks/certificate-bundle/certificate-bundle.yaml b/src/playbooks/certificate-bundle/certificate-bundle.yaml
new file mode 100644
index 00000000..f3a924f4
--- /dev/null
+++ b/src/playbooks/certificate-bundle/certificate-bundle.yaml
@@ -0,0 +1,24 @@
+---
+- name: Generate a certificate bundle for a hostname
+  hosts:
+    - quadlet
+  become: true
+  vars_files:
+    - "../../vars/defaults.yml"
+  vars:
+    certificates_ca: false
+    certificates_hostnames:
+      - "{{ hostname }}"
+  roles:
+    - role: certificates
+      when: "certificate_source == 'default'"
+    - role: foreman_installer_certs
+      when: "certificate_source == 'installer'"
+    - role: certificate_bundle
+      vars:
+        certificate_bundle_hostname: "{{ hostname }}"
+        certificate_bundle_ca_certificate: "{{ certificates_ca_directory }}/certs/ca.crt"
+        certificate_bundle_server_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}.crt"
+        certificate_bundle_server_key: "{{ certificates_ca_directory }}/private/{{ hostname }}.key"
+        certificate_bundle_client_certificate: "{{ certificates_ca_directory }}/certs/{{ hostname }}-client.crt"
+        certificate_bundle_client_key: "{{ certificates_ca_directory }}/private/{{ hostname }}-client.key"
diff --git a/src/playbooks/certificate-bundle/metadata.obsah.yaml b/src/playbooks/certificate-bundle/metadata.obsah.yaml
new file mode 100644
index 00000000..b1488702
--- /dev/null
+++ b/src/playbooks/certificate-bundle/metadata.obsah.yaml
@@ -0,0 +1,11 @@
+---
+help: |
+  Generate a certificate bundle
+
+variables:
+  hostname:
+    parameter: hostname
+    help: Hostname to generate a certificate bundle for that will be the common name.
+
+include:
+  - _certificate_source
diff --git a/src/roles/certificate_bundle/tasks/main.yml b/src/roles/certificate_bundle/tasks/main.yml
new file mode 100644
index 00000000..e048c266
--- /dev/null
+++ b/src/roles/certificate_bundle/tasks/main.yml
@@ -0,0 +1,68 @@
+---
+- name: Create temporary directory
+  ansible.builtin.tempfile:
+    state: directory
+    suffix: certificate-build
+  register: build_directory
+
+- name: Create directory structure
+  ansible.builtin.file:
+    state: directory
+    path: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}"
+    mode: '0755'
+
+- name: Copy CA certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_ca_certificate }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - katello-server-ca.crt
+    - katello-default-ca.crt
+
+- name: Copy server certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_server_certificate }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - apache.crt
+    - foreman-proxy.crt
+
+- name: Copy server key
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_server_key }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0440'
+  loop:
+    - apache.key
+    - foreman-proxy.key
+
+- name: Copy client certificate
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_client_certificate }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0444'
+  loop:
+    - foreman-proxy-client.crt
+    - puppet-client.crt
+
+- name: Copy client key
+  ansible.builtin.copy:
+    src: "{{ certificate_bundle_client_key }}"
+    dest: "{{ build_directory.path }}/ssl-build/{{ certificate_bundle_hostname }}/{{ certificate_bundle_hostname }}-{{ item }}"
+    remote_src: true
+    mode: '0440'
+  loop:
+    - foreman-proxy-client.key
+    - puppet-client.key
+
+- name: Create tarball
+  community.general.archive:
+    path: "{{ build_directory.path }}/ssl-build"
+    dest: "/root/{{ certificate_bundle_hostname }}.tar.gz"
+    mode: '0640'