diff --git a/ansible/playbooks/role-rocky-gitlab-ee.yml b/ansible/playbooks/role-rocky-gitlab-ee.yml
index 3d57fee..b9e9a84 100644
--- a/ansible/playbooks/role-rocky-gitlab-ee.yml
+++ b/ansible/playbooks/role-rocky-gitlab-ee.yml
@@ -30,9 +30,17 @@
         state: present
 
   roles:
+    - role: rockylinux.ipagetcert
+      state: present
+      when:
+        - "not gitlab_create_self_signed_cert|bool"
+        - "gitlab_ipa_cert|bool"
+
     - role: geerlingguy.certbot
       state: present
-      when: not gitlab_create_self_signed_cert
+      when:
+        - "not gitlab_create_self_signed_cert|bool"
+        - "gitlab_certbot|bool"
 
     - role: geerlingguy.gitlab
       state: present
diff --git a/ansible/playbooks/tasks/gitlab-reconfigure.yml b/ansible/playbooks/tasks/gitlab-reconfigure.yml
index 336aa39..e5d9446 100644
--- a/ansible/playbooks/tasks/gitlab-reconfigure.yml
+++ b/ansible/playbooks/tasks/gitlab-reconfigure.yml
@@ -7,7 +7,7 @@
     group: root
     mode: '0644'
     remote_src: true
-  when: not gitlab_create_self_signed_cert
+  when: "not gitlab_create_self_signed_cert|bool"
 
 - name: Copy keys from ipa-getcert directory
   copy:
@@ -17,7 +17,7 @@
     group: root
     mode: '0600'
     remote_src: true
-  when: not gitlab_create_self_signed_cert
+  when: "not gitlab_create_self_signed_cert|bool"
 
 - name: Symlink the IPA CA
   file:
@@ -43,7 +43,7 @@
   register: gitlab_ctl_result
   changed_when: "gitlab_ctl_result.rc == 0"
   when:
-    - gitlab_reconfigure_only
+    - "gitlab_reconfigure_only is defined and (gitlab_reconfigure_only|bool)"
 
 - name: Add firewall rules - http/s
   ansible.posix.firewalld:
diff --git a/ansible/playbooks/vars/gitlab.yml b/ansible/playbooks/vars/gitlab.yml
index 0991438..09ff50d 100644
--- a/ansible/playbooks/vars/gitlab.yml
+++ b/ansible/playbooks/vars/gitlab.yml
@@ -18,6 +18,8 @@ gitlab_ssl_certificate: "/etc/gitlab/ssl/{{ gitlab_domain }}.crt"
 gitlab_ssl_certificate_key: "/etc/gitlab/ssl/{{ gitlab_domain }}.key"
 gitlab_ssl_cert: "/etc/pki/tls/certs/{{ gitlab_domain }}.crt"
 gitlab_ssl_key: "/etc/pki/tls/private/{{ gitlab_domain }}.key"
+gitlab_ipa_cert: "true"
+gitlab_certbot: "false"
 
 # LDAP Configuration
 gitlab_ldap_enabled: "true"