diff --git a/roles/create_ldap_cert/tasks/main.yml b/roles/create_ldap_cert/tasks/main.yml
index fd56923..ff008b2 100644
--- a/roles/create_ldap_cert/tasks/main.yml
+++ b/roles/create_ldap_cert/tasks/main.yml
@@ -30,4 +30,22 @@
     ownca_privatekey_path: /etc/pki/konchin.com/rootca.key
     ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}"
     ownca_not_after: +365d  # valid for one year
-    ownca_not_before: "-1d"  # valid since yesterday
+    ownca_not_before: -1d   # valid since yesterday
+    return_content: true
+  register: cert
+
+- name: Create full chain
+  block:
+    - name: Slurp root ca
+      ansible.builtin.slurp:
+        src: /etc/pki/konchin.com/rootca.pem
+      register: rootca
+    - name: Create full chain cert
+      ansible.builtin.copy:
+        content: |
+          {{ cert.certificate | trim }}
+          {{ rootca['content'] | b64decode | trim }}
+        dest: /etc/pki/ldap.konchin.com/full-chain.pem
+        mode: '0600'
+        owner: root
+        group: root