diff --git a/defaults/main.yml b/defaults/main.yml
index 71f3f29..59aa13b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,6 +2,7 @@
 # ansible default variables - most variables live here
 ipa_getcert_key_default_location: "/etc/pki/tls/private/{{ ansible_fqdn }}.key"
 ipa_getcert_cert_default_location: "/etc/pki/tls/certs/{{ ansible_fqdn }}.crt"
+ipa_getcert_nss_default_location: "/etc/pki/tls/nss"
 ipa_getcert_owner_default: root
 
 # List of hostnames that should be requested
diff --git a/templates/get_cert.sh.j2 b/templates/get_cert.sh.j2
index 7f532fc..8e08251 100644
--- a/templates/get_cert.sh.j2
+++ b/templates/get_cert.sh.j2
@@ -5,8 +5,9 @@
 {% for ipahosts in ipa_getcert_requested_hostnames %}
 
 {% if ipa_getcert_nss %}
-if [ ! -d "{{ ipahosts.nss_db_dir }}" && ! -L "{{ ipahosts.nss_db_dir }}" ]; then
-   mkdir -p {{ ipa_getcert_nss }}
+nss_db_path="{{ ipahosts.nss_db_dir | default(ipa_getcert_nss_default_location) }}"
+if [ ! -d "${nss_db_path}" && ! -L "${nss_db_path}" ]; then
+   mkdir -p "${nss_db_path}"
 fi
 {% endif %}
 
@@ -15,8 +16,8 @@ fi
   -N "CN={{ ipahosts.name }}" \
   -D "{{ ipahosts.name }}" \
   {% if ipa_getcert_nss %}
-  -d {{ ipahosts.nss_db_dir }} \
-  -n {{ ipahosts.nss_nickname }} \
+  -d "${nss_db_path}" \
+  -n {{ ipahosts.nss_nickname | default(ansible_fqdn) }} \
   {% else %}
   -k "{{ ipahosts.key_location | default(ipa_getcert_key_default_location) }}" \
   -f "{{ ipahosts.cert_location | default(ipa_getcert_cert_default_location) }}" \