diff --git a/README.md b/README.md
index 2684a654..39d74360 100644
--- a/README.md
+++ b/README.md
@@ -713,6 +713,23 @@ Contents of your SSL certificate, as a string.
 
 Contents of your SSL CA certificate, as a string.
 
+#### `ssl_use_puppet_certs`
+
+A boolean switch to enable or disable copying the puppet SSL certs into your
+`ssl_dir`. Default is `false`.
+
+#### `ssl_key_source`
+
+Source of your SSL key, as a uri.
+
+#### `ssl_cert_source`
+
+Source of your SSL certificate, as a uri.
+
+#### `ssl_ca_cert_source`
+
+Source of your SSL CA certificate, as a uri.
+
 #### `manage_firewall`
 
 If `true`, puppet will manage your iptables rules for PuppetDB via the
diff --git a/manifests/params.pp b/manifests/params.pp
index d53b50de..030b7353 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -202,6 +202,10 @@
   $ssl_key                  = undef
   $ssl_cert                 = undef
   $ssl_ca_cert              = undef
+  $ssl_use_puppet_certs     = false
+  $ssl_key_source           = undef
+  $ssl_cert_source          = undef
+  $ssl_ca_cert_source       = undef
 
   # certificate used by PuppetDB SSL Configuration
   $ssl_key_pk8_path         = regsubst($ssl_key_path, '.pem', '.pk8')
diff --git a/manifests/server.pp b/manifests/server.pp
index 8fd4bd95..ba8ddc29 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -18,6 +18,10 @@
   $ssl_key                                 = $puppetdb::params::ssl_key,
   $ssl_cert                                = $puppetdb::params::ssl_cert,
   $ssl_ca_cert                             = $puppetdb::params::ssl_ca_cert,
+  Boolean $ssl_use_puppet_certs            = $puppetdb::params::ssl_use_puppet_certs,
+  $ssl_key_source                          = $puppetdb::params::ssl_key_source,
+  $ssl_cert_source                         = $puppetdb::params::ssl_cert_source,
+  $ssl_ca_cert_source                      = $puppetdb::params::ssl_ca_cert_source,
   $ssl_protocols                           = $puppetdb::params::ssl_protocols,
   $postgresql_ssl_on                       = $puppetdb::params::postgresql_ssl_on,
   $cipher_suites                           = $puppetdb::params::cipher_suites,
@@ -231,19 +235,32 @@
     database_max_pool_size => $read_database_max_pool_size,
   }
 
-  if $ssl_deploy_certs {
+  if $ssl_deploy_certs or $ssl_use_puppet_certs {
+
+    if $ssl_use_puppet_certs {
+      $_ssl_key_source = "file:///${::settings::ssldir}/private_keys/${::clientcert}.pem"
+      $_ssl_cert_source = "file:///${::settings::ssldir}/certs/${::clientcert}.pem"
+      $_ssl_ca_cert_source = "file:///${::settings::ssldir}/certs/ca.pem"
+    } else {
+      $_ssl_key_source = $ssl_key_source
+      $_ssl_cert_source = $ssl_cert_source
+      $_ssl_ca_cert_source = $ssl_ca_cert_source
+    }
+
     file {
       $ssl_dir:
-        ensure => directory,
-        owner  => $puppetdb_user,
-        group  => $puppetdb_group,
-        mode   => '0700';
+        ensure  => directory,
+        owner   => $puppetdb_user,
+        group   => $puppetdb_group,
+        mode    => '0700',
+        require => Package[$puppetdb_package];
       $ssl_key_path:
         ensure  => file,
         content => $ssl_key,
         owner   => $puppetdb_user,
         group   => $puppetdb_group,
         mode    => '0600',
+        source  => $_ssl_key_source,
         notify  => Service[$puppetdb_service];
       $ssl_cert_path:
         ensure  => file,
@@ -251,6 +268,7 @@
         owner   => $puppetdb_user,
         group   => $puppetdb_group,
         mode    => '0600',
+        source  => $_ssl_cert_source,
         notify  => Service[$puppetdb_service];
       $ssl_ca_cert_path:
         ensure  => file,
@@ -258,6 +276,7 @@
         owner   => $puppetdb_user,
         group   => $puppetdb_group,
         mode    => '0600',
+        source  => $_ssl_ca_cert_source,
         notify  => Service[$puppetdb_service];
     }
   }