diff --git a/site/profiles/manifests/pki/vault.pp b/site/profiles/manifests/pki/vault.pp
index 820836c..7008085 100644
--- a/site/profiles/manifests/pki/vault.pp
+++ b/site/profiles/manifests/pki/vault.pp
@@ -102,5 +102,25 @@ class profiles::pki::vault (
         require => File[$base_path],
       }
     }
+
+  }else{
+    # manage each file resources, but dont change the content
+    $certificate_files = [
+      "${base_path}/certificate.crt",
+      "${base_path}/private.key",
+      "${base_path}/full_chain.crt",
+      "${base_path}/ca_certificate.crt",
+      "${base_path}/certificate.pem"
+    ]
+
+    $certificate_files.each |$file_path| {
+      file { $file_path:
+        ensure  => file,
+        owner   => 'root',
+        group   => 'root',
+        mode    => '0644',
+        require => File[$base_path],
+      }
+    }
   }
 }
diff --git a/site/profiles/manifests/reposync/webserver.pp b/site/profiles/manifests/reposync/webserver.pp
index baa7f76..12ec17d 100644
--- a/site/profiles/manifests/reposync/webserver.pp
+++ b/site/profiles/manifests/reposync/webserver.pp
@@ -32,6 +32,7 @@ class profiles::reposync::webserver (
       $ssl_key = undef
       $listen_port = $nginx_port
       $listen_ssl_port = undef
+      $extras_hash = {}
     }
     'https': {
       $enable_ssl = true
@@ -39,6 +40,9 @@ class profiles::reposync::webserver (
       $ssl_key = $selected_ssl_key
       $listen_port = $nginx_ssl_port
       $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
     }
     'both': {
       $enable_ssl = true
@@ -46,29 +50,37 @@ class profiles::reposync::webserver (
       $ssl_key = $selected_ssl_key
       $listen_port = $nginx_port
       $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
     }
     default: {
       # enum param prevents this ever being reached
     }
   }
 
-  class { 'nginx': }
-
-  # create the nginx vhost
-  nginx::resource::server { $nginx_vhost:
-    listen_port          => $listen_port,
-    server_name          => [$nginx_vhost],
-    use_default_location => true,
-    access_log           => "/var/log/nginx/${nginx_vhost}_access.log",
-    error_log            => "/var/log/nginx/${nginx_vhost}_error.log",
-    www_root             => $www_root,
-    autoindex            => 'on',
-    ssl                  => $enable_ssl,
-    ssl_cert             => $ssl_cert,
-    ssl_key              => $ssl_key,
-    ssl_port             => $listen_ssl_port,
+  # define the default parameters for the nginx server
+  $defaults = {
+    'listen_port'          => $listen_port,
+    'server_name'          => [$nginx_vhost],
+    'use_default_location' => true,
+    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
+    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
+    'www_root'             => $www_root,
+    'autoindex'            => 'on',
+    'ssl'                  => $enable_ssl,
+    'ssl_cert'             => $ssl_cert,
+    'ssl_key'              => $ssl_key,
+    'ssl_port'             => $listen_ssl_port,
   }
 
+  # merge the hashes conditionally
+  $nginx_parameters = merge($defaults, $extras_hash)
+
+  # create the nginx vhost with the merged parameters
+  class { 'nginx': }
+  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
+
   if $favicon {
     file { "${www_root}/favicon.ico":
       ensure => 'file',