diff --git a/defaults/main.yaml b/defaults/main.yaml
index 50b3e40..082e816 100644
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@@ -52,6 +52,27 @@ nodepool_file_launcher_logging_conf_mode: 0644
 nodepool_file_launcher_logging_conf_owner: "{{ nodepool_user_name }}"
 nodepool_file_launcher_logging_conf_src: etc/nodepool/launcher-logging.conf
 
+nodepool_file_zookeeper_tls_cacert_content:
+nodepool_file_zookeeper_tls_cacert_dest: /etc/nodepool/ssl/zookeeper-cacert.pem
+nodepool_file_zookeeper_tls_cacert_group: "{{ nodepool_user_group }}"
+nodepool_file_zookeeper_tls_cacert_mode: 0644
+nodepool_file_zookeeper_tls_cacert_owner: "{{ nodepool_user_name }}"
+nodepool_file_zookeeper_tls_cacert_src: etc/nodepool/ssl/zookeeper-cacert.pem
+
+nodepool_file_zookeeper_tls_cert_content:
+nodepool_file_zookeeper_tls_cert_dest: /etc/nodepool/ssl/zookeeper-client.pem
+nodepool_file_zookeeper_tls_cert_group: "{{ nodepool_user_group }}"
+nodepool_file_zookeeper_tls_cert_mode: 0644
+nodepool_file_zookeeper_tls_cert_owner: "{{ nodepool_user_name }}"
+nodepool_file_zookeeper_tls_cert_src: etc/nodepool/ssl/zookeeper-client.pem
+
+nodepool_file_zookeeper_tls_key_content:
+nodepool_file_zookeeper_tls_key_dest: /etc/nodepool/ssl/zookeeper-client.key
+nodepool_file_zookeeper_tls_key_group: "{{ nodepool_user_group }}"
+nodepool_file_zookeeper_tls_key_mode: 0600
+nodepool_file_zookeeper_tls_key_owner: "{{ nodepool_user_name }}"
+nodepool_file_zookeeper_tls_key_src: etc/nodepool/ssl/zookeeper-client.key
+
 # tasks/install.yaml
 nodepool_git_dest: "{{ ansible_user_dir }}/src/opendev.org/zuul/nodepool"
 nodepool_git_uri: https://opendev.org/zuul/nodepool
diff --git a/tasks/config.yaml b/tasks/config.yaml
index 979e361..5793d0c 100644
--- a/tasks/config.yaml
+++ b/tasks/config.yaml
@@ -21,6 +21,7 @@
     state: directory
   with_items:
     - /etc/nodepool
+    - /etc/nodepool/ssl
     - /opt/nodepool/images
     - /opt/nodepool/tmp
     - /var/log/nodepool
@@ -66,3 +67,33 @@
     src: "{{ nodepool_file_launcher_logging_conf_src }}"
   register: nodepool_file_launcher_logging_conf
   when: nodepool_file_launcher_logging_conf_manage
+
+- name: Install zookeeper tls cacert configuration
+  become: true
+  template:
+    dest: "{{ nodepool_file_zookeeper_tls_cacert_dest }}"
+    group: "{{ nodepool_file_zookeeper_tls_cacert_group }}"
+    mode: "{{ nodepool_file_zookeeper_tls_cacert_mode }}"
+    owner: "{{ nodepool_file_zookeeper_tls_cacert_owner }}"
+    src: "{{ nodepool_file_zookeeper_tls_cacert_src }}"
+  register: nodepool_file_zookeeper_tls_cacert
+
+- name: Install nodepool zookeeper tls cert configuration
+  become: true
+  template:
+    dest: "{{ nodepool_file_zookeeper_tls_cert_dest }}"
+    group: "{{ nodepool_file_zookeeper_tls_cert_group }}"
+    mode: "{{ nodepool_file_zookeeper_tls_cert_mode }}"
+    owner: "{{ nodepool_file_zookeeper_tls_cert_owner }}"
+    src: "{{ nodepool_file_zookeeper_tls_cert_src }}"
+  register: nodepool_file_zookeeper_tls_cert
+
+- name: Install zookeeper tls key configuration
+  become: true
+  template:
+    dest: "{{ nodepool_file_zookeeper_tls_key_dest }}"
+    group: "{{ nodepool_file_zookeeper_tls_key_group }}"
+    mode: "{{ nodepool_file_zookeeper_tls_key_mode }}"
+    owner: "{{ nodepool_file_zookeeper_tls_key_owner }}"
+    src: "{{ nodepool_file_zookeeper_tls_key_src }}"
+  register: nodepool_file_zookeeper_tls_key
diff --git a/templates/etc/nodepool/ssl/zookeeper-cacert.pem b/templates/etc/nodepool/ssl/zookeeper-cacert.pem
new file mode 100644
index 0000000..5a53250
--- /dev/null
+++ b/templates/etc/nodepool/ssl/zookeeper-cacert.pem
@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ nodepool_file_zookeeper_tls_cacert_content }}
diff --git a/templates/etc/nodepool/ssl/zookeeper-client.key b/templates/etc/nodepool/ssl/zookeeper-client.key
new file mode 100644
index 0000000..6191092
--- /dev/null
+++ b/templates/etc/nodepool/ssl/zookeeper-client.key
@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ nodepool_file_zookeeper_tls_key_content }}
diff --git a/templates/etc/nodepool/ssl/zookeeper-client.pem b/templates/etc/nodepool/ssl/zookeeper-client.pem
new file mode 100644
index 0000000..e20ba09
--- /dev/null
+++ b/templates/etc/nodepool/ssl/zookeeper-client.pem
@@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ nodepool_file_zookeeper_tls_cert_content }}
diff --git a/tests/playbooks/run.yaml b/tests/playbooks/run.yaml
index 5e91797..d1e34f9 100644
--- a/tests/playbooks/run.yaml
+++ b/tests/playbooks/run.yaml
@@ -46,3 +46,45 @@
           - nodepool_git_dest_stat.stat.exists
           - nodepool_git_dest_stat.stat.isdir
       when: nodepool_install_method == 'git'
+
+    - name: Register /etc/nodepool/ssl/zookeeper-cacert.pem
+      stat:
+        path: /etc/nodepool/ssl/zookeeper-cacert.pem
+      register: _nodepool_file_zookeeper_tls_cacert_stat
+
+    - name: Assert _nodepool_file_zookeeper_tls_cacert_stat tests.
+      assert:
+        that:
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.exists
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.isreg
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.pw_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.gr_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cacert_stat.stat.mode == '0644'
+
+    - name: Register /etc/nodepool/ssl/zookeeper-client.pem
+      stat:
+        path: /etc/nodepool/ssl/zookeeper-client.pem
+      register: _nodepool_file_zookeeper_tls_cert_stat
+
+    - name: Assert _nodepool_file_zookeeper_tls_cert_stat tests.
+      assert:
+        that:
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.exists
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.isreg
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.pw_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.gr_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_cert_stat.stat.mode == '0644'
+
+    - name: Register /etc/nodepool/ssl/zookeeper-client.key
+      stat:
+        path: /etc/nodepool/ssl/zookeeper-client.key
+      register: _nodepool_file_zookeeper_tls_key_stat
+
+    - name: Assert _nodepool_file_zookeeper_tls_key_stat tests.
+      assert:
+        that:
+          - _nodepool_file_zookeeper_tls_key_stat.stat.exists
+          - _nodepool_file_zookeeper_tls_key_stat.stat.isreg
+          - _nodepool_file_zookeeper_tls_key_stat.stat.pw_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_key_stat.stat.gr_name == 'nodepool'
+          - _nodepool_file_zookeeper_tls_key_stat.stat.mode == '0600'