diff --git a/defaults/main.yml b/defaults/main.yml
index 5fb192b..f22a598 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,11 +8,12 @@ gen_tls_remote_ca_certs_dir: /etc/ssl/certs
 gen_tls_generate_ca_cert: false
 gen_tls_generate_client_cert: false
 gen_tls_generate_server_cert: false
+gen_tls_force_copy: false
 
 # -------
 # CA CERT
 # -------
-gen_tls_ca_cert: ca.pem
+gen_tls_ca_cert: ca.crt
 gen_tls_ca_csr: ca.csr
 gen_tls_ca_key: ca.key
 gen_tls_ca_key_size: 4096
diff --git a/tasks/generate-client-cert.yaml b/tasks/generate-client-cert.yaml
index 01ea601..c1c55cd 100644
--- a/tasks/generate-client-cert.yaml
+++ b/tasks/generate-client-cert.yaml
@@ -36,7 +36,7 @@
     mode: 0644
     owner: root
     group: root
-  when: client_key_file.changed
+  when: client_key_file.changed or gen_tls_force_copy
 
 - name: Check if the client CSR exists
   delegate_to: localhost
@@ -84,4 +84,4 @@
     mode: 0600
     owner: root
     group: root
-  when: client_cert_file.changed
+  when: client_cert_file.changed or gen_tls_force_copy
diff --git a/tasks/generate-server-cert.yaml b/tasks/generate-server-cert.yaml
index b83e828..fb00a90 100644
--- a/tasks/generate-server-cert.yaml
+++ b/tasks/generate-server-cert.yaml
@@ -33,7 +33,7 @@
     mode: 0644
     owner: root
     group: root
-  when: server_key_file.changed
+  when: server_key_file.changed or gen_tls_force_copy
 
 - name: Check if the server CSR exists
   delegate_to: localhost
@@ -93,4 +93,4 @@
     mode: 0600
     owner: root
     group: root
-  when: server_cert_file.changed
+  when: server_cert_file.changed or gen_tls_force_copy
diff --git a/tasks/main.yml b/tasks/main.yml
index 9e3a078..8e25606 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -21,3 +21,9 @@
 - name: Populate /etc/hosts with inventory's hosts
   include_tasks: populate-etc-hosts.yaml
   when: gen_tls_populate_etc_hosts|bool
+
+- name: Update system CA on Debian
+  include_tasks: update-debian-ca.yaml
+  when:
+    - gen_tls_generate_certs
+    - ansible_os_family == "Debian"
diff --git a/tasks/update-debian-ca.yaml b/tasks/update-debian-ca.yaml
new file mode 100644
index 0000000..184562b
--- /dev/null
+++ b/tasks/update-debian-ca.yaml
@@ -0,0 +1,8 @@
+---
+- name: Copy the CA certificate to directory for system CA update
+  become: yes
+  shell: "cp {{ gen_tls_remote_ca_certs_dir }}/{{ gen_tls_ca_cert }} /usr/local/share/ca-certificates"
+
+- name: Update the system CA
+  become: yes
+  shell: /usr/sbin/update-ca-certificates