diff --git a/inventory/host_vars/fas01.stg.phx2.fedoraproject.org b/inventory/host_vars/fas01.stg.phx2.fedoraproject.org
index 5ad3ed6a08..5fa8f3b367 100644
--- a/inventory/host_vars/fas01.stg.phx2.fedoraproject.org
+++ b/inventory/host_vars/fas01.stg.phx2.fedoraproject.org
@@ -8,3 +8,4 @@ volgroup: /dev/vg_virthost10
 eth0_ip: 10.5.126.86
 vmhost: virthost10.phx2.fedoraproject.org
 datacenter: phx2
+master_fas_node: True
diff --git a/roles/fas_server/files/Makefile.fedora-ca b/roles/fas_server/files/Makefile.fedora-ca
new file mode 100644
index 0000000000..5da1ea9793
--- /dev/null
+++ b/roles/fas_server/files/Makefile.fedora-ca
@@ -0,0 +1,70 @@
+# $Id: Makefile,v 1.4 2006/06/20 18:55:37 jmates Exp $
+#
+# NOTE If running OpenSSL 0.9.8a or higher, see -newkey, below.
+#
+# Automates the setup of a custom Certificate Authority and provides
+# routines for signing and revocation of certificates. To use, first
+# customize the commands in this file and the settings in openssl.cnf,
+# then run:
+#
+# make init
+#
+# Then, copy in certificate signing requests, and ensure their suffix is
+# .csr before signing them with the following command:
+#
+# make sign
+#
+# To revoke a key, name the certificate file with the cert option
+# as shown below:
+#
+# make revoke cert=foo.cert
+#
+# This will revoke the certificate and call gencrl; the revocation list
+# will then need to be copied somehow to the various systems that use
+# your CA cert.
+
+requests = *.csr
+
+# remove -batch option if want chance to not certify a particular request
+sign: FORCE
+	@openssl ca -batch -config openssl.cnf -days 180 -in $(req) -out $(cert)
+
+revoke:
+	@test $${cert:?"usage: make revoke cert=certificate"}
+	@openssl ca -config openssl.cnf -revoke $(cert)
+	@$(MAKE) gencrl
+
+gencrl:
+	@openssl ca -config openssl.cnf -gencrl -out crl/crl.pem
+
+clean:
+	-rm ${requests}
+
+# creates required supporting files, CA key and certificate
+init:
+	@test ! -f serial
+	@mkdir crl newcerts private
+	@chmod go-rwx private
+	@echo '01' > serial
+	@touch index
+	# NOTE use "-newkey rsa:2048" if running OpenSSL 0.9.8a or higher
+	@openssl req -nodes -config openssl.cnf -days 1825 -x509 -newkey rsa:2048 -out ca-cert.pem -outform PEM
+
+help:
+	@echo make sign req=in.csr cert=out.cert
+	@echo '  - signs in.csr, outputting to out.cert'
+	@echo
+	@echo make revoke cert=filename
+	@echo '  - revokes certificate in named file and calls gencrl'
+	@echo
+	@echo make gencrl
+	@echo '  - updates Certificate Revocation List (CRL)'
+	@echo
+	@echo make clean
+	@echo '  - removes all *.csr files in this directory'
+	@echo
+	@echo make init
+	@echo '  - required initial setup command for new CA'
+
+# for legacy make support
+FORCE:
diff --git a/roles/fas_server/tasks/main.yml b/roles/fas_server/tasks/main.yml
index f5fd464006..6b36a0b91b 100644
--- a/roles/fas_server/tasks/main.yml
+++ b/roles/fas_server/tasks/main.yml
@@ -154,11 +154,11 @@
   tags:
   - config
 
-- name: install /var/lib/fedora-ca/.rnd file
-  file: path=/var/lib/fedora-ca/.rnd owner=fas group=fas mode=0600 setype=httpd_sys_content_t
-  when: master_fas_node == True
-  tags:     
-  - config
+#- name: install /var/lib/fedora-ca/.rnd file
+#  file: path=/var/lib/fedora-ca/.rnd owner=fas group=fas mode=0600 setype=httpd_sys_content_t
+#  when: master_fas_node == True
+#  tags:     
+#  - config
 
 - name: setup /var/lib/fedora-ca/newcerts directory
   file: path=/var/lib/fedora-ca/newcerts owner=fas group=fas mode=0700 state=directory