diff --git a/defaults/main.yml b/defaults/main.yml
index 08ab962..2b4fe3a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -45,7 +45,10 @@ es_jvm_custom_parameters: ''
 # SSL/TLS parameters
 es_enable_http_ssl: false
 es_enable_transport_ssl: false
+es_ssl_keystore: ""
+es_ssl_truststore: ""
 es_ssl_key: ""
 es_ssl_certificate: ""
 es_ssl_certificate_authority: ""
 es_ssl_certificate_path: "/etc/elasticsearch/certs"
+es_ssl_verification_mode: "certificate"
diff --git a/tasks/elasticsearch-parameters.yml b/tasks/elasticsearch-parameters.yml
index 36c3fe1..b25e4f3 100644
--- a/tasks/elasticsearch-parameters.yml
+++ b/tasks/elasticsearch-parameters.yml
@@ -17,6 +17,13 @@
     - es_api_basic_auth_username is not defined
     - es_api_basic_auth_password is not defined
 
+- name: fail when ssl enabled without defining a key and certificate
+  fail: msg="Enabling SSL/TLS (es_enable_http_ssl or es_enable_transport_ssl) requires es_ssl_keystore and es_ssl_truststore or es_ssl_key and es_ssl_certificate to be provided"
+  when:
+    - es_enable_http_ssl or es_enable_transport_ssl
+    - (es_ssl_key == "" or es_ssl_certificate == "")
+    - (es_ssl_keystore == "" or es_ssl_truststore == "")
+
 - name: set fact file_reserved_users
   set_fact: file_reserved_users={{ es_users.file.keys() | list | intersect (reserved_xpack_users) }}
   when: es_users is defined and es_users.file is defined and (es_users.file.keys() | list | length > 0) and (es_users.file.keys() | list | intersect (reserved_xpack_users) | length > 0)
diff --git a/tasks/elasticsearch-ssl.yml b/tasks/elasticsearch-ssl.yml
index 7447c3c..0ded5dc 100644
--- a/tasks/elasticsearch-ssl.yml
+++ b/tasks/elasticsearch-ssl.yml
@@ -4,20 +4,28 @@
     dest: "{{ es_ssl_certificate_path }}"
     state: directory
 
-- name: Upload HTTP SSL/TLS certificates
+- name: Upload SSL/TLS keystore and truststore
   copy:
     src: "{{ item }}"
     dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
   with_items:
     - "{{ es_ssl_key }}"
     - "{{ es_ssl_certificate }}"
-  when: es_enable_http_ssl|bool or es_enable_transport_ssl|bool
+  when: es_ssl_keystore and es_ssl_truststore
+  register: copy_keystores
 
-- local_action: stat path="{{ role_path }}/files/{{ es_ssl_certificate_authority }}"
-  register: es_cafile
+- name: Upload SSL/TLS key and certificate
+  copy:
+    src: "{{ item }}"
+    dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
+  with_items:
+    - "{{ es_ssl_key }}"
+    - "{{ es_ssl_certificate }}"
+  when: es_ssl_key and es_ssl_certificate
+  register: copy_certificates
 
 - name: Upload SSL Certificate Authority
   copy:
     src: "{{ es_ssl_certificate_authority }}"
     dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
-  when: es_cafile.stat.exists|bool and es_cafile.stat.isreg|bool
+  when: es_ssl_certificate_authority
diff --git a/tasks/main.yml b/tasks/main.yml
index f9d8975..e50ef34 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -53,8 +53,9 @@
   tags:
       - xpack
 
-- name: include ssl.yml
+- name: include elasticsearch-ssl.yml
   include: elasticsearch-ssl.yml
+  when: es_enable_http_ssl or es_enable_transport_ssl
 
 - name: flush handlers
   meta: flush_handlers
diff --git a/templates/elasticsearch.yml.j2 b/templates/elasticsearch.yml.j2
index f217129..12e89fb 100644
--- a/templates/elasticsearch.yml.j2
+++ b/templates/elasticsearch.yml.j2
@@ -58,19 +58,33 @@ xpack.notification.email:
 
 {% if es_enable_http_ssl | bool %}
 xpack.security.http.ssl.enabled: true
+{% if es_ssl_keystore and es_ssl_truststore %}
+xpack.security.http.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
+xpack.security.http.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
+{% elif es_ssl_key and  es_ssl_certificate%}
 xpack.security.http.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}"
 xpack.security.http.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}"
-#xpack.security.http.ssl.client_authentication: optional
 {% if es_ssl_certificate_authority %}
 xpack.security.http.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
 {% endif %}
+{% endif %}
 {% else %}
 # xpack.security.http.ssl.enabled: false
 {% endif %}
 
 {% if es_enable_transport_ssl | bool %}
 xpack.security.transport.ssl.enabled: true
-#xpack.security.transport.ssl.verification_mode: certificate
+xpack.security.transport.ssl.verification_mode: {{ es_ssl_verification_mode }}
+{% if es_ssl_keystore and es_ssl_truststore %}
+xpack.security.transport.ssl.keystore.path: : "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
+xpack.security.transport.ssl.truststore.path: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
+{% elif es_ssl_key and  es_ssl_certificate%}
+xpack.security.transport.ssl.key: "{{ es_ssl_certificate_path }}/{{ es_ssl_key | basename }}"
+xpack.security.transport.ssl.certificate: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate | basename }}"
+{% if es_ssl_certificate_authority %}
+xpack.security.transport.ssl.certificate_authorities: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
+{% endif %}
+{% endif %}
 {% else %}
 # xpack.security.transport.ssl.enabled: false
 {% endif %}