diff --git a/defaults/main.yml b/defaults/main.yml
index 0a8104b..71f3f29 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -18,8 +18,21 @@ ipa_getcert_requested_hostnames:
 #     key_location: /opt/ejabberd/conf/pki
 #     cert_location: /opt/ejabberd/conf/pki
 
+# If you are using NSS.
+# ipa_getcert_nss: true
+# ipa_getcert_requested_hostnames:
+#   - name: name
+#     postcmd: "/bin/systemctl restart sigul_server"
+#     owner: sigul
+#     nss_db_dir: /etc/pki/tls/nss
+#     nss_nickname: name
+
 # This feature coming soon
 #ipa_getcert_fqdn_symlink: true
 
 ipa_getcert_chain: false
 ipa_getcert_chain_location: /etc/pki/tls/chains
+
+# Note that when you set this to true, key_location and cert_location are
+# effectively ignored.
+ipa_getcert_nss: false
diff --git a/templates/get_cert.sh.j2 b/templates/get_cert.sh.j2
index c146d04..7f532fc 100644
--- a/templates/get_cert.sh.j2
+++ b/templates/get_cert.sh.j2
@@ -3,12 +3,24 @@
 # There may be more than one request done based on the vars of the playbook.
 
 {% for ipahosts in ipa_getcert_requested_hostnames %}
+
+{% if ipa_getcert_nss %}
+if [ ! -d "{{ ipahosts.nss_db_dir }}" && ! -L "{{ ipahosts.nss_db_dir }}" ]; then
+   mkdir -p {{ ipa_getcert_nss }}
+fi
+{% endif %}
+
 /usr/bin/ipa-getcert request -r -w \
   -I "{{ ipahosts.name }}" \
   -N "CN={{ ipahosts.name }}" \
   -D "{{ ipahosts.name }}" \
+  {% if ipa_getcert_nss %}
+  -d {{ ipahosts.nss_db_dir }} \
+  -n {{ ipahosts.nss_nickname }} \
+  {% else %}
   -k "{{ ipahosts.key_location | default(ipa_getcert_key_default_location) }}" \
   -f "{{ ipahosts.cert_location | default(ipa_getcert_cert_default_location) }}" \
+  {% endif %}
   {% if ipahosts.postcmd %}
   -C "{{ ipahosts.postcmd }}" \
   {% endif %}