diff --git a/.gitignore b/.gitignore
index 94aad02c65e3f97b8ca93facab2cf2891f76aa9e..a25857a52a64eb50591999328f3aab9b16270bb1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
+files/*.crt
+files/*.key
 inventory/group_vars/geodns.yml
 inventory/group_vars/mdsigner.yml
 .ssh/id_*
diff --git a/files/GeoLite2-Country.mmdb b/files/GeoLite2-Country.mmdb
deleted file mode 100644
index fcc7618fad247a69a847639e4a93647deadc793a..0000000000000000000000000000000000000000
Binary files a/files/GeoLite2-Country.mmdb and /dev/null differ
diff --git a/files/README b/files/README
index 2883bb9ce2e3b39cfa99fb63a5af7991b8b55e57..22681f3814b574942948df172bbecd4632397775 100644
--- a/files/README
+++ b/files/README
@@ -1 +1,4 @@
-Download GeoLite2 DB's from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
+This directory should contain:
+
+ * GeoDNS config in yaml format
+ * mdsigner signing certificates (key_spec/cert_spec)
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
index cae20cfc81a9040b7111ac8dbfa6b2ab79f17528..268eef2d2260aa0eac27bcce55b06dec8160b40f 100644
--- a/inventory/group_vars/all.yml
+++ b/inventory/group_vars/all.yml
@@ -2,7 +2,7 @@
 
 tld: srv.mdx.incubator.geant.org
 
-hosts:
+proxies:
   et2:
     hostname: srv1
     altname: 'server-md2.et2.com'
diff --git a/inventory/group_vars/mdsigner.yml.example b/inventory/group_vars/mdsigner.yml.example
index 5f9e0a84b56ed238a52bbcec1f8ad0a9f7d126ad..f947e83f66565248a8bd5cf67272c3827a48fa93 100644
--- a/inventory/group_vars/mdsigner.yml.example
+++ b/inventory/group_vars/mdsigner.yml.example
@@ -1,27 +1,29 @@
 ---
 
-hosts:
+signers_tld: srv.mdx.incubator.geant.org
+
+signers:
   et2:
+    hostname: srv1
     mdsigner:
       test:
-        signer:
-          name: hsm_signer
-          key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
-        metadir: metadata/test
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
 
   mdxcdn:
+    hostname: srv2
     mdsigner:
       edugain:
-        signer:
-          name: hsm_signer
-          key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
-        metadir: metadata/edugain
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
 
   alternative-mdx:
+    hostname: srv3
     mdsigner:
+      test:
+        name: normal_signer
+        key_spec: "test.key"
+        cert_spec: "test.crt"
       foobar:
-        signer:
-          name: normal_signer
-          key_spec: "meta.key"
-          cert_spec: "meta.crt"
-        metadir: metadata/test
+        name: hsm_signer
+        key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
diff --git a/roles/apache/templates/md.conf.j2 b/roles/apache/templates/md.conf.j2
index 59ca6d422f5f551f051227ec3d34ad82d3cf64de..8039cba75e498755ac448fd5db8dc7e8fa8b2d6a 100644
--- a/roles/apache/templates/md.conf.j2
+++ b/roles/apache/templates/md.conf.j2
@@ -1,8 +1,8 @@
-{% if hosts[inventory_hostname].get('mdsigner') %}
+{% if signers is defined and signers[inventory_hostname].get('mdsigner') %}
 <VirtualHost *:80>
-        ServerName {{ hosts[inventory_hostname]['hostname'] }}-signer.{{ tld }}
-{% if hosts[inventory_hostname].get('altname') %}
-        ServerAlias {{ hosts[inventory_hostname]['altname'] }}
+        ServerName {{ signers[inventory_hostname]['hostname'] }}-signer.{{ signers_tld }}
+{% if signers[inventory_hostname].get('altname') %}
+        ServerAlias {{ signers[inventory_hostname]['altname'] }}
 {% endif %}
         DocumentRoot /var/www/html
         AllowEncodedSlashes NoDecode
@@ -11,16 +11,16 @@
 </VirtualHost>
 {% endif %}
 
-{% if hosts[inventory_hostname].get('mdproxy') %}
+{% if proxies is defined and proxies[inventory_hostname].get('mdproxy') %}
 <VirtualHost *:80>
-        ServerName {{ hosts[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
+        ServerName {{ proxies[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
         DocumentRoot /var/www/html
         AllowEncodedSlashes NoDecode
         ProxyPass "/" "http://127.0.0.1:5002/" nocanon
         ProxyPassReverse "/" "http://127.0.0.1:5002/"
 </VirtualHost>
 
-{% set mdproxy = hosts[inventory_hostname]['mdproxy'] %}
+{% set mdproxy = proxies[inventory_hostname]['mdproxy'] %}
 {% for realm, values in mdproxy.items() %}
 <VirtualHost *:80>
         ServerName proxy-{{ realm }}.{{ tld }}
@@ -34,3 +34,4 @@
 </VirtualHost>
 {% endfor %}
 {% endif %}
+
diff --git a/roles/mdproxy/templates/mdproxy.yaml.j2 b/roles/mdproxy/templates/mdproxy.yaml.j2
index e17c6fe8b22644e21927407b4bc27720df6ddf10..a9f19fadd314c84d743247e3895c5d6f97c62fe8 100644
--- a/roles/mdproxy/templates/mdproxy.yaml.j2
+++ b/roles/mdproxy/templates/mdproxy.yaml.j2
@@ -1,2 +1,9 @@
 ---
-{{ hosts[inventory_hostname]['mdproxy'] | tojson }}
+{% set mdproxies = proxies[inventory_hostname]['mdproxy'] %}
+{% for realm, values in mdproxies.items() %}
+{{ realm }}:
+  signer: {{ values['signer'] }}
+{% if values.get('altname') %}
+  altname: {{ values['altname'] }}
+{% endif %}
+{% endfor %}
diff --git a/roles/mdsigner/tasks/certificates.yml b/roles/mdsigner/tasks/certificates.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8e0c936aa74809ef995c39151b303de4ddd294cf
--- /dev/null
+++ b/roles/mdsigner/tasks/certificates.yml
@@ -0,0 +1,18 @@
+- name: check wheter we can copy certificates
+  ansible.builtin.stat:
+    path: "{{ playbook_dir }}/files/{{ item.value.key_spec }}"
+  delegate_to: localhost
+  become: no
+  register: key_spec
+
+- name: Copy certificates when key_spec exists
+  block:
+    - name: Copy Key spec
+      ansible.builtin.copy:
+        src: "{{ item.value.key_spec }}"
+        dest: "{{ altmdx_dir }}/{{ item.value.key_spec }}"
+    - name: Copy Cert spec
+      ansible.builtin.copy:
+        src: "{{ item.value.cert_spec }}"
+        dest: "{{ altmdx_dir }}/{{ item.value.cert_spec }}"
+  when: key_spec.stat.exists
diff --git a/roles/mdsigner/tasks/main.yml b/roles/mdsigner/tasks/main.yml
index d3dd9a3b89d8ce8307b4487c870accf6c78206a0..60a434dbffaa7594cc232f0a67bb1d1e4f33dc10 100644
--- a/roles/mdsigner/tasks/main.yml
+++ b/roles/mdsigner/tasks/main.yml
@@ -22,22 +22,11 @@
     path: "{{ altmdx_metadir }}/{{ item.key }}"
     state: directory
     mode: '0755'
-  with_dict: "{{ hosts[inventory_hostname]['mdsigner'] }}"
+  with_dict: "{{ signers[inventory_hostname]['mdsigner'] }}"
 
-- name: Check existence of metadata signing cert
-  stat:
-    path: "{{ altmdx_metadir }}/meta.crt"
-  register: mdcert
-
-- name: create self-signed Metadata Signing SSL certs
-  shell: >
-    openssl genrsa -out "{{ altmdx_dir }}/meta.key" 2048;
-    openssl req -new -nodes -x509 -subj "/C=NL/CN=metadata"
-    -days 3650 -key "{{ altmdx_dir }}/meta.key"
-    -out "{{ altmdx_dir }}/meta.crt" -extensions v3_ca
-  args:
-    creates: "{{ altmdx_dir }}/meta.crt"
-  when: not mdcert.stat.exists
+- name: Copy certificates
+  include_tasks: certificates.yml
+  loop: "{{ signers[inventory_hostname]['mdsigner'] | dict2items }}"
 
 - name: Copy mdsigner service files
   ansible.builtin.template:
diff --git a/roles/mdsigner/templates/mdsigner.yaml.j2 b/roles/mdsigner/templates/mdsigner.yaml.j2
index c2259f34a09d41e7559d17a31e31bb1db72732d9..769e307c18aa8f3b112db5190dfde1ed8e99862a 100644
--- a/roles/mdsigner/templates/mdsigner.yaml.j2
+++ b/roles/mdsigner/templates/mdsigner.yaml.j2
@@ -1,2 +1,10 @@
 ---
-{{ hosts[inventory_hostname]['mdsigner'] | to_yaml }}
+{% set mdsigners = signers[inventory_hostname]['mdsigner'] %}
+{% for realm, values in mdsigners.items() %}
+{{ realm }}:
+  signer:
+    name: {{ values['name'] }}
+    key_spec: {{ values.key_spec }}
+    cert_spec: {{ values.get('cert_spec') }}
+  metadir: metadata/{{ realm }}
+{% endfor %}