diff --git a/roles/role_deploy_dovecot/tasks/main.yml b/roles/role_deploy_dovecot/tasks/main.yml
index 1d7cf2a..e23ab2e 100644
--- a/roles/role_deploy_dovecot/tasks/main.yml
+++ b/roles/role_deploy_dovecot/tasks/main.yml
@@ -52,11 +52,64 @@
   changed_when: duplicity_result.rc is defined and duplicity_result.rc == 0
   when: not dovecot_installed_flag.stat.exists
 
-- name: Create /usr/local/docker-mounted-files/docker-mail-stack directory
+- name: Create /usr/local/docker-mounted-files/docker-mail-stack/certs directory
   ansible.builtin.file:
-    path: "/usr/local/docker-mounted-files/docker-mail-stack"
+    path: "/usr/local/docker-mounted-files/docker-mail-stack/certs"
     state: directory
     mode: '0755'
+    recurse: yes
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Remove temp directory
+  ansible.builtin.file:
+    path: "{{ remote_workdir }}/dovecot_secrets"
+    state: absent
+  changed_when: false
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Create temp directory
+  ansible.builtin.file:
+    path: "{{ remote_workdir }}/dovecot_secrets"
+    state: directory
+    recurse: yes
+  changed_when: false
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Extract dovecot certs from secrets.tar.gz.enc
+  shell: "openssl enc -aes-256-cbc -md md5 -pass env:SECRETS_ARCHIVE_PASSPHRASE -d -in {{ remote_workdir }}/secrets.tar.gz.enc | tar -zxv -C {{ item.dir }} --strip 3 {{ item.name }}"
+  changed_when: false
+  with_items:
+    - name: secrets/docker-mail-stack/certs/dovecot.crt
+      dir: "{{ remote_workdir }}/dovecot_secrets"
+    - name: secrets/docker-mail-stack/certs/dovecot.key
+      dir: "{{ remote_workdir }}/dovecot_secrets"
+  environment:
+    SECRETS_ARCHIVE_PASSPHRASE: "{{ lookup('env', 'SECRETS_ARCHIVE_PASSPHRASE') }}"
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Copy dovecot SSL cert
+  ansible.builtin.copy:
+    src: "{{ remote_workdir }}/dovecot_secrets/dovecot.crt"
+    dest: "/usr/local/docker-mounted-files/docker-mail-stack/certs/"
+    remote_src: yes
+    owner: root
+    group: root
+    mode: "u=rw,g=r,o=r"
+  become: true
+  when: not dovecot_installed_flag.stat.exists
+
+- name: Copy dovecot SSL key
+  ansible.builtin.copy:
+    src: "{{ remote_workdir }}/dovecot_secrets/dovecot.key"
+    dest: "/usr/local/docker-mounted-files/docker-mail-stack/certs/"
+    remote_src: yes
+    owner: root
+    group: root
+    mode: "u=rw,g=,o="
   become: true
   when: not dovecot_installed_flag.stat.exists
 
@@ -136,6 +189,8 @@
       - /usr/local/docker-mounted-files/docker-mail-stack/users:/etc/dovecot/users:Z
       - /usr/local/docker-mounted-files/docker-mail-stack/15-lda.conf:/etc/dovecot/conf.d/15-lda.conf:Z
       - /usr/local/docker-mounted-files/docker-mail-stack/10-mail.conf:/etc/dovecot/conf.d/10-mail.conf:Z
+      - /usr/local/docker-mounted-files/docker-mail-stack/certs/dovecot.crt:/etc/dovecot/dovecot.pem:Z
+      - /usr/local/docker-mounted-files/docker-mail-stack/certs/dovecot.key:/etc/dovecot/private/dovecot.pem:Z
   become: true
   when: not dovecot_installed_flag.stat.exists