diff --git a/manifests/pki/cacert.pp b/manifests/pki/cacert.pp
new file mode 100644
index 00000000..834b1d28
--- /dev/null
+++ b/manifests/pki/cacert.pp
@@ -0,0 +1,16 @@
+# == class: vswitch::pki::cacert
+#
+# Initialize CA authority
+#
+class vswitch::pki::cacert {
+  include vswitch::params
+
+  exec { 'ovs-pki-init-ca-authority':
+    command => 'ovs-pki init --force',
+    creates => '/var/lib/openvswitch/pki/switchca',
+    path    => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],
+  }
+
+  Package<| title == $::vswitch::params::ovs_package_name |>
+    -> Exec['ovs-pki-init-ca-authority']
+}
diff --git a/manifests/pki/cert.pp b/manifests/pki/cert.pp
new file mode 100644
index 00000000..77fdafe7
--- /dev/null
+++ b/manifests/pki/cert.pp
@@ -0,0 +1,28 @@
+# == define: vswitch::pki::cert
+#
+# Generate certificate
+#
+# == Parameters:
+#
+# [*cert_dir*]
+#  (Optional) The directory in which the cert files are generated.
+#  Defaults to '/etc/openvswitch'
+#
+define vswitch::pki::cert(
+  $cert_dir = '/etc/openvswitch',
+) {
+  include vswitch::params
+
+  exec { "ovs-req-and-sign-cert-${name}":
+    command => "ovs-pki req+sign ${name}",
+    cwd     => $cert_dir,
+    creates => "${cert_dir}/${name}-cert.pem",
+    path    => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],
+  }
+
+  Package<| title == $::vswitch::params::ovs_package_name |>
+    -> Exec["ovs-req-and-sign-cert-${name}"]
+
+  Exec<| title == 'ovs-pki-init-ca-authority' |>
+    -> Exec["ovs-req-and-sign-cert-${name}"]
+}
diff --git a/releasenotes/notes/ovs-certs-260e0a49737f1887.yaml b/releasenotes/notes/ovs-certs-260e0a49737f1887.yaml
new file mode 100644
index 00000000..69ca9b00
--- /dev/null
+++ b/releasenotes/notes/ovs-certs-260e0a49737f1887.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Now this module supports managing a public key infrastructure used by
+    Open vSwitch.
diff --git a/spec/classes/vswitch_pki_cacert_spec.rb b/spec/classes/vswitch_pki_cacert_spec.rb
new file mode 100644
index 00000000..fac0d374
--- /dev/null
+++ b/spec/classes/vswitch_pki_cacert_spec.rb
@@ -0,0 +1,27 @@
+require 'spec_helper'
+
+describe 'vswitch::pki::cacert' do
+
+  shared_examples_for 'vswitch::pki::cacert' do
+    it 'shoud initialize ca authority' do
+      is_expected.to contain_exec('ovs-pki-init-ca-authority').with(
+        :command => 'ovs-pki init --force',
+        :creates => '/var/lib/openvswitch/pki/switchca',
+        :path    => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],
+      )
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like "vswitch::pki::cacert"
+    end
+  end
+
+end
diff --git a/spec/defines/vswitch_pki_cert_spec.rb b/spec/defines/vswitch_pki_cert_spec.rb
new file mode 100644
index 00000000..948b70d6
--- /dev/null
+++ b/spec/defines/vswitch_pki_cert_spec.rb
@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+describe 'vswitch::pki::cert' do
+
+  let(:title) {'foo'}
+
+  shared_examples_for 'vswitch::pki::cert' do
+    it 'shoud generate a certificate' do
+      is_expected.to contain_exec('ovs-req-and-sign-cert-foo').with(
+        :command => 'ovs-pki req+sign foo',
+        :cwd     => '/etc/openvswitch',
+        :creates => '/etc/openvswitch/foo-cert.pem',
+        :path    => ['/usr/sbin', '/sbin', '/usr/bin', '/bin'],
+      )
+    end
+  end
+
+  on_supported_os({
+    :supported_os => OSDefaults.get_supported_os
+  }).each do |os,facts|
+    context "on #{os}" do
+      let (:facts) do
+        facts.merge!(OSDefaults.get_facts())
+      end
+
+      it_behaves_like "vswitch::pki::cert"
+    end
+  end
+
+end