diff --git a/roles/ipsilon/tasks/main.yml b/roles/ipsilon/tasks/main.yml
index ad00d60565..f087aaec80 100644
--- a/roles/ipsilon/tasks/main.yml
+++ b/roles/ipsilon/tasks/main.yml
@@ -49,16 +49,30 @@
   copy: src=ipsilon-httpd.conf
         dest=/etc/httpd/conf.d/ipsilon.conf
 
+- name: create wellknown directory
+  file: path=/etc/ipsilon/wellknown state=directory
+        owner=ipsilon group=ipsilon mode=0755
+
 - name: copy persona private key
   copy: src={{ private }}/files/ipsilon/persona.key dest=/etc/ipsilon/persona.key
         owner=ipsilon group=ipsilon mode=0600
   when: env != "staging"
 
+- name: copy persona public key
+  copy: src=browserid dest=/etc/ipsilon/welknown/browserid
+        owner=ipsilon group=ipsilon mode=0644
+  when: env != "staging"
+
 - name: copy persona STG private key
   copy: src={{ private }}/files/ipsilon/persona.stg.key dest=/etc/ipsilon/persona.stg.key
         owner=ipsilon group=ipsilon mode=0600
   when: env == "staging"
 
+- name: copy persona STG public key
+  copy: src=browserid.stg dest=/etc/ipsilon/wellknown/browserid
+        owner=ipsilon group=ipsilon mode=0644
+  when: env == "staging"
+
 - name: set sebooleans so ipsilon can talk to the db
   action: seboolean name=httpd_can_network_connect_db
                     state=true