diff --git a/defaults/main.yml b/defaults/main.yml
index ba3d79d..03c2282 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -170,3 +170,9 @@ pki_file_mode:
   certificate_chain: "{{ pki_cert_mode }}"
   ca_bundle: "{{ pki_cert_mode }}"
   private_key: "{{ pki_key_mode }}"
+
+# file ownership when files are installed on the target
+#  applies to all files installed
+#  or, applies to all files not having a more specific owner:group in pki_install_certificates
+pki_install_owner: "root"
+pki_install_group: "root"
diff --git a/molecule/default/group_vars/all.yml b/molecule/default/group_vars/all.yml
index 1f91a84..c57fcaa 100644
--- a/molecule/default/group_vars/all.yml
+++ b/molecule/default/group_vars/all.yml
@@ -138,44 +138,32 @@ functional_install_key_name_1_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '
 pki_install_certificates:
   - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1.crt' }}"
     dest: "{{ functional_install_cert_1_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0644"
   - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1-chain.crt' }}"
     dest: "{{ functional_install_chain_1_dest }}"
-    owner: "root"
-    group: "root"
-    mode: "0644"
+    mode: "0755"
   - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_1-ca_bundle.crt' }}"
     dest: "{{ functional_install_ca_bundle_1_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0644"
   - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_1.key.pem' }}"
     dest: "{{ functional_install_key_1_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0640"
   - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
     dest: "{{ functional_install_cert_name_1_dest }}"
+    owner: "test"
     type: "certificate"
-    owner: "root"
-    group: "root"
   - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
     dest: "{{ functional_install_chain_name_1_dest }}"
+    group: "test"
     type: "certificate_chain"
-    owner: "root"
-    group: "root"
   - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
     dest: "{{ functional_install_ca_bundle_name_1_dest }}"
+    owner: "test"
+    group: "test"
     type: "ca_bundle"
-    owner: "root"
-    group: "root"
   - name: "{{ ansible_facts['hostname'] ~ '_1' }}"
     dest: "{{ functional_install_key_name_1_dest }}"
     type: "private_key"
-    owner: "root"
-    group: "root"
 
 # Custom certificate installation search pattern
 pki_search_install_certificates_pattern: "foo_install_certificates_"
@@ -193,37 +181,25 @@ functional_install_key_3_dest: "{{ '/root/' ~ ansible_facts['hostname'] ~ '_3.ke
 foo_install_certificates_variable:
   - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2.crt' }}"
     dest: "{{ functional_install_cert_2_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0644"
     condition: true
   - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2-chain.crt' }}"
     dest: "{{ functional_install_chain_2_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0644"
     condition: true
   - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_2-ca_bundle.crt' }}"
     dest: "{{ functional_install_ca_bundle_2_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0644"
     condition: true
   - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_2.key.pem' }}"
     dest: "{{ functional_install_key_2_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0640"
     condition: true
   - src: "{{ pki_dir ~ '/certs/certs/' ~ ansible_facts['hostname'] ~ '_3.crt' }}"
     dest: "{{ functional_install_cert_3_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0644"
     condition: false
   - src: "{{ pki_dir ~ '/certs/private/' ~ ansible_facts['hostname'] ~ '_3.key.pem' }}"
     dest: "{{ functional_install_key_3_dest }}"
-    owner: "root"
-    group: "root"
     mode: "0640"
     condition: false
diff --git a/molecule/default/prepare.yml b/molecule/default/prepare.yml
index e21e817..0e5b61c 100644
--- a/molecule/default/prepare.yml
+++ b/molecule/default/prepare.yml
@@ -2,6 +2,15 @@
 - name: Prepare
   hosts: all
   tasks:
+    - name: Create test group
+      ansible.builtin.group:
+        name: test
+
+    - name: Create test user
+      ansible.builtin.user:
+        name: test
+        group: test
+
     - name: Update apt cache
       ansible.builtin.apt:
         update_cache: true
diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml
index a7dfe74..3837657 100644
--- a/molecule/default/verify.yml
+++ b/molecule/default/verify.yml
@@ -54,7 +54,7 @@
 
     - ansible.builtin.stat:
         path: "{{ functional_install_ca_bundle_name_1_dest }}"
-      register: chain_name_1_stat
+      register: ca_bundle_name_1_stat
 
     - ansible.builtin.stat:
         path: "{{ functional_install_key_name_1_dest }}"
@@ -92,15 +92,42 @@
     - ansible.builtin.assert:
         that:
           - cert_1_stat.stat.exists
+          - cert_1_stat.stat.pw_name == "root"
+          - cert_1_stat.stat.gr_name == "root"
+
           - chain_1_stat.stat.exists
+          - chain_1_stat.stat.mode == "0755"
+          - chain_1_stat.stat.pw_name == "root"
+          - chain_1_stat.stat.gr_name == "root"
+
           - ca_bundle_1_stat.stat.exists
+          - ca_bundle_1_stat.stat.pw_name == "root"
+          - ca_bundle_1_stat.stat.gr_name == "root"
+
           - key_1_stat.stat.exists
+          - key_1_stat.stat.pw_name == "root"
+          - key_1_stat.stat.gr_name == "root"
+
           - cert_name_1_stat.stat.exists
           - cert_name_1_stat.stat.mode == "0644"
+          - cert_name_1_stat.stat.pw_name == "test"
+          - cert_name_1_stat.stat.gr_name == "root"
+
           - chain_name_1_stat.stat.exists
           - chain_name_1_stat.stat.mode == "0644"
+          - chain_name_1_stat.stat.pw_name == "root"
+          - chain_name_1_stat.stat.gr_name == "test"
+
+          - ca_bundle_name_1_stat.stat.exists
+          - ca_bundle_name_1_stat.stat.mode == "0644"
+          - ca_bundle_name_1_stat.stat.pw_name == "test"
+          - ca_bundle_name_1_stat.stat.gr_name == "test"
+
           - key_name_1_stat.stat.exists
           - key_name_1_stat.stat.mode == "0600"
+          - key_name_1_stat.stat.pw_name == "root"
+          - key_name_1_stat.stat.gr_name == "root"
+
           - cert_2_stat.stat.exists
           - chain_2_stat.stat.exists
           - ca_bundle_2_stat.stat.exists
diff --git a/tasks/main_certs.yml b/tasks/main_certs.yml
index 05f4abc..9b742f7 100644
--- a/tasks/main_certs.yml
+++ b/tasks/main_certs.yml
@@ -66,8 +66,8 @@
   ansible.builtin.copy:
     content: "{{ install.content | b64decode }}"
     dest: "{{ install.item.dest }}"
-    owner: "{{ install.item.owner | default(omit) }}"
-    group: "{{ install.item.group | default(omit) }}"
+    owner: "{{ _owner }}"
+    group: "{{ _group }}"
     mode: "{{ _mode }}"
   loop: "{{ _cert_slurp.results }}"
   loop_control:
@@ -75,10 +75,12 @@
     label: "{{ loop_label | to_json }}"
   vars:
     _mode : "{{ install.item.mode | d(pki_file_mode[install.item.type | d('certificate')]) }}"
+    _owner: "{{ install.item.owner | default(pki_install_owner) }}"
+    _group: "{{ install.item.group | default(pki_install_group) }}"
     loop_label:
       dest: "{{ install.item.dest }}"
-      owner: "{{ install.item.owner | default(omit) }}"
-      group: "{{ install.item.group | default('omit') }}"
+      owner: "{{ _owner }}"
+      group: "{{ _group }}"
       mode: "{{ _mode }}"
   ignore_errors: "{{ ansible_check_mode }}"
   notify: