diff --git a/roles/pki-root-ca/defaults/main.yml b/roles/pki-root-ca/defaults/main.yml
new file mode 100644
index 0000000..ebfd5ed
--- /dev/null
+++ b/roles/pki-root-ca/defaults/main.yml
@@ -0,0 +1,14 @@
+---
+# pki-root-ca/defaults/main.yml
+pki_dir: "{{ playbook_dir }}/pki"
+
+# ca parameters
+ca_digest: "sha256"
+ca_size: 4096
+ca_root_days: 3650
+
+# passphrases for the key
+ca_root_phrase: "{{ lookup('password', 'credentials/ca_root_phrase length=64') }}"
+
+# noninteractive csr subject
+ca_root_subj: "/C=US/ST=California/L=Menlo Park/O=ON.Lab/OU=Test Deployment/CN=CORD Test Deployment Root CA"
diff --git a/roles/pki-root-ca/tasks/main.yml b/roles/pki-root-ca/tasks/main.yml
new file mode 100644
index 0000000..eb23d09
--- /dev/null
+++ b/roles/pki-root-ca/tasks/main.yml
@@ -0,0 +1,73 @@
+---
+# pki-root-ca/tasks/main.yml
+
+- name: Create root CA directory
+  file:
+    dest: "{{ pki_dir }}/root_ca"
+    state: directory
+
+- name: Create root CA openssl.cnf from template
+  template:
+    src: openssl_root.cnf.j2
+    dest: "{{ pki_dir }}/root_ca/openssl.cnf"
+    force: no
+
+- name: Create subdirs for root CA
+  file:
+    dest: "{{ pki_dir }}/root_ca/{{ item }}"
+    state: directory
+  with_items:
+    - certs
+    - crl
+    - newcerts
+
+- name: Create private CA directory
+  file:
+    dest: "{{ pki_dir }}/root_ca/private"
+    state: directory
+    mode: 0700
+
+- name: Create serial file
+  copy:
+    dest: "{{ pki_dir }}/root_ca/serial"
+    content: "1000"
+    force: no
+
+- name: Create empty index file if it doesn't exist
+  copy:
+    dest: "{{ pki_dir }}/root_ca/index.txt"
+    content: ""
+    force: no
+
+- name: Save root passphrase to root_ca/private/ca_root_phrase
+  copy:
+    dest: "{{ pki_dir }}/root_ca/private/ca_root_phrase"
+    content: "{{ ca_root_phrase }}"
+    mode: 0400
+
+- name: Generate root key
+  command: >
+    openssl genrsa -aes256
+      -out {{ pki_dir }}/root_ca/private/ca_key.pem
+      -passout file:{{ pki_dir }}/root_ca/private/ca_root_phrase
+      {{ ca_size }}
+  args:
+    creates: "{{ pki_dir }}/root_ca/private/ca_key.pem"
+
+- name: Set permissions on root key
+  file:
+    dest: "{{ pki_dir }}/root_ca/private/ca_key.pem"
+    mode: 0400
+
+- name: Create root certificate
+  command: >
+    openssl req -config {{ pki_dir }}/root_ca/openssl.cnf
+      -key {{ pki_dir }}/root_ca/private/ca_key.pem
+      -passin file:{{ pki_dir }}/root_ca/private/ca_root_phrase
+      -new -x509 -days {{ ca_root_days }}
+      -sha256 -extensions v3_ca
+      -subj "{{ ca_root_subj }}"
+      -out {{ pki_dir }}/root_ca/certs/ca_cert.pem
+  args:
+    creates: "{{ pki_dir }}/root_ca/certs/ca_cert.pem"
+
diff --git a/roles/pki-root-ca/templates/openssl_root.cnf.j2 b/roles/pki-root-ca/templates/openssl_root.cnf.j2
new file mode 100644
index 0000000..a7ffced
--- /dev/null
+++ b/roles/pki-root-ca/templates/openssl_root.cnf.j2
@@ -0,0 +1,95 @@
+# Created by openssl_root.cnf.j2, configured by ansible
+
+[ ca ]
+default_ca  = CA_default
+
+[ CA_default ]
+dir               = {{ pki_dir }}/root_ca
+certs             = $dir/certs
+crl_dir           = $dir/crl
+new_certs_dir     = $dir/newcerts
+database          = $dir/index.txt
+serial            = $dir/serial
+RANDFILE          = $dir/private/.randfile
+
+private_key       = $dir/private/ca_key.pem
+certificate       = $dir/certs/ca_cert.pem
+
+crlnumber         = $dir/crl/crlnumber
+crl               = $dir/crl/ca_crl.pem
+crl_extensions    = crl_ext
+default_crl_days  = 30
+
+# Make new requests easier to sign - allow two subjects with same name
+# (Or revoke the old certificate first.)
+unique_subject    = no
+
+default_md        = {{ ca_digest }}
+name_opt          = ca_default
+cert_opt          = ca_default
+default_days      = {{ ca_root_days }}
+preserve          = no
+
+# for CA that only signs intermediate CA certs
+policy            = policy_strict
+
+[ policy_strict ]
+# Used by root CA to sign intermediate CA's, should match
+countryName             = match
+stateOrProvinceName     = match
+organizationName        = match
+organizationalUnitName  = optional
+commonName              = supplied
+emailAddress            = optional
+
+[ req ]
+default_bits         = {{ ca_size }}
+default_md           = {{ ca_digest }}
+distinguished_name   = req_distinguished_name
+string_mask          = utf8only
+x509_extensions      = v3_ca
+
+[ req_distinguished_name ]
+# See <https://en.wikipedia.org/wiki/Certificate_signing_request>.
+countryName                     = Country Name (2 letter code)
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+# Some defaults
+countryName_default             = US
+stateOrProvinceName_default     = California
+localityName_default            = Menlo Park
+0.organizationName_default      = ON.Lab
+organizationalUnitName_default  = Test Deployment
+emailAddress_default            = privateca@opencord.org
+
+[ v3_ca ]
+# Extensions for a typical CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:TRUE
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ v3_intermediate_ca ]
+# Extensions for a typical intermediate CA (`man x509v3_config`).
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical, CA:TRUE, pathlen:0
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign
+
+[ crl_ext ]
+# Extension for CRLs (`man x509v3_config`).
+authorityKeyIdentifier=keyid:always
+
+[ ocsp ]
+# Extension for OCSP signing certificates (`man ocsp`).
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+keyUsage = critical, digitalSignature
+extendedKeyUsage = critical, OCSPSigning
+