diff --git a/modules/incus/manifests/init.pp b/modules/incus/manifests/init.pp
index 4bb862a..5bbac37 100644
--- a/modules/incus/manifests/init.pp
+++ b/modules/incus/manifests/init.pp
@@ -21,6 +21,10 @@ class incus (
     enable     => true,
     hasstatus  => true,
     hasrestart => true,
+    subscribe  => [
+      File['/var/lib/incus/server.crt'],
+      File['/var/lib/incus/server.key'],
+    ],
   }
 
   file_line { 'subuid_root':
@@ -55,6 +59,22 @@ class incus (
     }
   }
 
+  file { '/var/lib/incus/server.crt':
+    ensure => file,
+    source => '/etc/pki/tls/vault/certificate.crt',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+  }
+
+  file { '/var/lib/incus/server.key':
+    ensure => file,
+    source => '/etc/pki/tls/vault/private.key',
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0600',
+  }
+
   if $facts['incus'] and $facts['incus']['config'] {
     # set core.https_address
     if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {