diff --git a/roles/debian_server/tasks/main.yml b/roles/debian_server/tasks/main.yml
index f9d46568b2f80f2fe780b99915c3038049117aaa..ef8bce55e9d34322abea284ebd6dd855c1076303 100644
--- a/roles/debian_server/tasks/main.yml
+++ b/roles/debian_server/tasks/main.yml
@@ -37,6 +37,7 @@
       - fwupd
       - intel-microcode
       - libpam-mount-bin
+      - python3-cryptography
       - rsync
       - tmux
       - ufw
@@ -115,6 +116,37 @@
     path: /var/ssl
     state: directory
 
+# I know that I can use Ansible modules instead of calling OpenSSL directly, but
+# with the command module I can easily skip the task if the private key or the
+# certificate already exist. The point is to create an SSL and self-signed
+# certificate only as a bootstrap step. Once there is an existing (and assumed
+# valid) certificate, don't overwrite it.
+
+- name: Create private SSL key
+  command:
+    cmd: openssl genrsa -out /var/ssl/site.key 4096
+    creates: /var/ssl/site.key
+
+- name: Create SSL certificate
+  command:
+    cmd: >-
+      openssl
+      req
+      -x509
+      -out /var/ssl/site.crt
+      -nodes
+      -key /var/ssl/site.key
+      -batch
+    creates: /var/ssl/site.crt
+
+- name: Create Diffie-Hellman Parameters file
+  community.crypto.openssl_dhparam:
+    force: false
+    mode: 0o0644
+    path: /var/ssl/dhparams
+    size: 4096
+    state: present
+
 - name: Copy btrfs copy script
   copy:
     dest: /usr/local/sbin/btrfs-backup