diff --git a/files/geant_acme.py b/files/geant_acme.py
index f2aedb817d96669fad26223b02770a81988bdaae..5e793e37765ba59c6e87b0f14245ca84ec13f5ba 100755
--- a/files/geant_acme.py
+++ b/files/geant_acme.py
@@ -12,6 +12,7 @@ Options:
   -c CLIENT --client=CLIENT       Client
   -d DOMAIN --domain=DOMAIN       Domain
   -p PROVIDER --provider=PROVIDER Provider
+  -u UNIT --unit=UNIT             Unit, entity or team
   -w --wildcard                   Use wildcard
   -x --extra=EXTRA                Supply extra parameters available from certbot documentation
 """
@@ -140,8 +141,12 @@ if __name__ == "__main__":
 
     ARGS = docopt(__doc__)
     DOMAIN = ARGS['--domain']
+    UNIT = ARGS['--unit']
     PROVIDER = ARGS['--provider']
-    CLIENTS = ARGS['--client']
+    if ARGS['--client']:
+        CLIENTS = ARGS['--client']
+    else:
+        CLIENTS = DOMAIN[0]  # client makes only sense with Puppet
     WILDCARD = ARGS['--wildcard']
     EXTRA = ARGS['--extra']
     LOG_FILE = '/var/log/acme_{}/geant_acme.log'.format(PROVIDER)
@@ -192,12 +197,13 @@ if __name__ == "__main__":
 
     # if we are here, everything went fine and we can upload the certificates
     if WILDCARD:
-        UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -p {} -w'.format(DOMAIN[0], PROVIDER)
+        UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -p {} -w'.format(
+            UNIT, DOMAIN[0], PROVIDER)
         os.system(UPLOADER)
     else:
         for client in CLIENTS:
-            UPLOADER = '/root/bin/geant_acme_uploader.py -d {} -c {} -p {}'.format(
-                DOMAIN[0], client, PROVIDER)
+            UPLOADER = '/root/bin/geant_acme_uploader.py -u {} -d {} -c {} -p {}'.format(
+                UNIT, DOMAIN[0], client, PROVIDER)
             os.system(UPLOADER)
 
     os_exit()
diff --git a/files/geant_acme_uploader.py b/files/geant_acme_uploader.py
index 68048aa3bbdd732e6210c56cf136f9f1556c02dd..318b90903bcd0f0ee11d5a054df2bcbdd3372917 100755
--- a/files/geant_acme_uploader.py
+++ b/files/geant_acme_uploader.py
@@ -11,6 +11,7 @@ Options:
   -h --help                       Show this screen
   -d DOMAIN --domain=DOMAIN       Domain
   -c CLIENT --client=CLIENT       Client
+  -u UNIT --unit=UNIT             Unit, entity or team
   -p PROVIDER --provider=PROVIDER Provider
   -w --wildcard                   Wildcard
 """
@@ -131,6 +132,7 @@ if __name__ == "__main__":
 
     ARGS = docopt(__doc__)
     DOMAIN = ARGS['--domain']
+    UNIT = ARGS['--unit']
     PROVIDER = ARGS['--provider']
     if ARGS['--wildcard']:
         CLIENT = ['common']
@@ -143,7 +145,7 @@ if __name__ == "__main__":
     CONFIG = configparser.RawConfigParser()
     CONFIG.read_file(open('/root/.geant_acme.ini'))
     REDIS_TOKEN = CONFIG.get('geant_acme', 'redis_token')
-    VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token')
+    VAULT_TOKEN = CONFIG.get('geant_acme', 'vault_token_{}'.format(UNIT))
     REDIS_HOST = CONFIG.get('geant_acme', 'redis_host')
     VAULT_HOST = CONFIG.get('geant_acme', 'vault_host')
     BASEDIR = '/etc/{}/live'.format(PROVIDER)
@@ -181,22 +183,22 @@ if __name__ == "__main__":
                 domain_underscored = DOMAIN.replace('.', '_')
                 certname_renamed = certname.replace(
                     'cert.pem', 'pem').replace('.', '_')
-                redis_full_path = '{}:redis_{}{}_{}'.format(
-                    CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed)
-                certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, redis_full_path)
+                REDIS_FULL_PATH = '{}:{}:redis_{}{}_{}'.format(
+                    UNIT, CLIENT_ITEM, PROVIDER_PREFIX, domain_underscored, certname_renamed)
+                certdata_upstream = redis_download(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH)
 
                 if certdata_local != certdata_upstream:
-                    print('uploading to Redis: {}'.format(redis_full_path))
-                    redis_upload(REDIS_HOST, REDIS_TOKEN, redis_full_path, certdata_local)
+                    print('uploading to Redis: {}'.format(REDIS_FULL_PATH))
+                    redis_upload(REDIS_HOST, REDIS_TOKEN, REDIS_FULL_PATH, certdata_local)
                 else:
-                    print('redis key {} did not change: skipping'.format(redis_full_path))
+                    print('redis key {} did not change: skipping'.format(REDIS_FULL_PATH))
 
         # upload key to Vault
         with open(KEYPATH, 'r') as keyfile:
             KEYDATA_LOCAL = keyfile.read()
             DOMAIN_UNDERSCORED = DOMAIN.replace('.', '_')
-            VAULT_FULL_PATH = 'puppet/{}/vault_{}{}{}_key'.format(
-                CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED)
+            VAULT_FULL_PATH = '{}/{}/vault_{}{}{}_key'.format(
+                UNIT, CLIENT_ITEM, PROVIDER_PREFIX, WILDCARD, DOMAIN_UNDERSCORED)
             KEYDATA_UPSTREAM = vault_dowload(VAULT_HOST, VAULT_TOKEN, VAULT_FULL_PATH)
 
             if KEYDATA_LOCAL != KEYDATA_UPSTREAM:
diff --git a/manifests/files.pp b/manifests/files.pp
index 007c8b005b7ac6d71225539803b584b6f7ffc4bb..5ff28149f5b7b060746d5223880b2c0a735b2037 100644
--- a/manifests/files.pp
+++ b/manifests/files.pp
@@ -3,6 +3,7 @@
 class geant_acme::files (
   Sensitive $vault_token,
   Sensitive $puppet_token,
+  $team_name,
   $wildcard_domain,
   $redis_host,
   $vault_host,
@@ -96,7 +97,8 @@ class geant_acme::files (
       target => '/root/bin/infoblox_hook.py';
     '/root/.geant_acme.ini':
       mode    => '0640',
-      content => Sensitive(epp("${module_name}/geant_acme.ini.epp"));
+      content => epp("${module_name}/geant_acme.ini.epp");
+      #content => Sensitive(epp("${module_name}/geant_acme.ini.epp"));
     '/root/.secrets_shuffle.ini':
       mode    => '0640',
       content => Sensitive(epp("${module_name}/secrets_shuffle.ini.epp"));
diff --git a/manifests/init.pp b/manifests/init.pp
index 5d0baf06433bba464bdf3f569a07f07c970fc32b..d82c9bcea8e65f1fe198833ab80e697afa3f7c0f 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -47,8 +47,13 @@ class geant_acme (
   include geant_acme::nginx
   include geant_acme::firewall
 
+  $ev_units = keys($sg_certificates_ev)
+  $ov_units = keys($sg_certificates_ov)
+  $units = unique($ev_units + $ov_units)
+
   class {
     'geant_acme::files':
+      team_name           => $units,
       vault_token         => Sensitive($vault_token),
       puppet_token        => Sensitive($puppet_token),
       iblox_password      => Sensitive($iblox_password),
@@ -79,15 +84,25 @@ class geant_acme (
     geant_acme::wildcard { ['letsencrypt', 'sectigo_ov']: check_days => $check_days; }
   }
 
-  geant_acme::server {
-    default:
-      check_days => $check_days;
-    'letsencrypt':
-      certificates => $le_certificates;
-    'sectigo_ov':
-      certificates => $sg_certificates_ov;
-    'sectigo_ev':
-      certificates => $sg_certificates_ev;
+  $ev_units.each | $evunit | {
+    geant_acme::server { 'sectigo_ev':
+      check_days   => $check_days,
+      team_name    => $evunit,
+      certificates => $sg_certificates_ev[$evunit];
+    }
+  }
+
+  $ov_units.each | $ovunit | {
+    geant_acme::server { 'sectigo_ov':
+      check_days   => $check_days,
+      team_name    => $ovunit,
+      certificates => $sg_certificates_ov[$ovunit];
+    }
+  }
+
+  geant_acme::server { 'letsencrypt':
+    check_days   => $check_days,
+    certificates => $le_certificates;
   }
 
 }
diff --git a/manifests/server.pp b/manifests/server.pp
index 50a2b434b1d8c7718056f4ea4abfcdac5c22c349..9e7672ab1f8ebe2fe7eae3afd6cd91937b81d641 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -18,6 +18,7 @@
 define geant_acme::server (
   $certificates,
   $check_days,
+  $team_name = undef,
   $provider = $name,
 ) {
 
@@ -26,8 +27,12 @@ define geant_acme::server (
   $certificates_list.each | String $certificate | {
 
     # join multiple clients as following: 'test-nas01.geant.org -c test-jump01.geant.org'
-    $certificates_clients = join($certificates[$certificate]['clients'], ' -c ')
-
+    if $certificates[$certificate]['clients'] {
+      $certificates_clients = join($certificates[$certificate]['clients'], ' -c ')
+      $_clients = "-c ${certificates_clients}"
+    } else {
+      $_clients = ''
+    }
     # if there is multi_domain join them as following: 'cert_2.geant.org -d cert_3.geant.org'
     if $certificates[$certificate]['multi_domain'] {
       $concat_cert_list = concat([$certificate], $certificates[$certificate]['multi_domain'])
@@ -39,14 +44,14 @@ define geant_acme::server (
 
     # if verbose is enabled append ' - v'
     if 'verbose' in $certificates[$certificate] {
-      $cmd = "${certificates_clients} -v"
+      $clients = "${_clients} -v"
     } else {
-      $cmd = $certificates_clients
+      $clients = $_clients
     }
 
     # 86400 = 1 day
     $cmd_prefix = "/bin/check-ssl-cert.rb -c ${check_days} -w ${check_days} -P /etc/${provider}/live/${certificate}/fullchain.pem"
-    $cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -d ${cert_list} -c ${cmd}"
+    $cmd_suffix = "/root/bin/geant_acme.py -p ${provider} -u ${team_name} -d ${cert_list} ${clients}"
 
     cron { $certificate:
       ensure  => present,
diff --git a/templates/geant_acme.ini.epp b/templates/geant_acme.ini.epp
index 269a9e056f992502bb2584831da739a41535d87a..8bed83d157176b791f2c6e62d8494ffe3f9af4e5 100644
--- a/templates/geant_acme.ini.epp
+++ b/templates/geant_acme.ini.epp
@@ -8,9 +8,13 @@ redis_token = <%= $geant_acme::files::puppet_token.unwrap %>
 redis_host = <%= $geant_acme::files::redis_host %>
 
 # Vault parameters
-vault_token = <%= $geant_acme::files::vault_token.unwrap %>
 vault_host = <%= $geant_acme::files::vault_host %>
 
 # PuppetDB parameters
 puppetdb_host = <%= $geant_acme::files::puppetdb_host %>
 puppetdb_port = <%= $geant_acme::files::puppetdb_port %>
+
+# Vault tokens
+<% $token_hash = $geant_acme::files::vault_token.unwrap -%>
+<% $geant_acme::files::team_name.each |$team| { %>vault_token_<%= $team %> = <%= $token_hash[$team] %>
+<% } -%>
diff --git a/templates/secrets_shuffle.ini.epp b/templates/secrets_shuffle.ini.epp
index 96d329ffed8ef22ff6ba2234f43cc1267a4358e4..d86093d94915e3ab281d2e2cb51508aaa2a2207f 100644
--- a/templates/secrets_shuffle.ini.epp
+++ b/templates/secrets_shuffle.ini.epp
@@ -1,6 +1,7 @@
 [vault]
 # Vault parameters
-vault_token = <%= $geant_acme::files::vault_token.unwrap %>
+<% $token_hash = $geant_acme::files::vault_token.unwrap -%>
+vault_token = <%= $token_hash['puppet'] %>
 vault_ssl = true
 vault_host = <%= $geant_acme::files::vault_host %>
 vault_port = 443