diff --git a/manifests/deploy.pp b/manifests/deploy.pp
new file mode 100644
index 00000000..59b81fd7
--- /dev/null
+++ b/manifests/deploy.pp
@@ -0,0 +1,18 @@
+# Handles deploying certificates
+#
+# === Parameters:
+#
+# $foreman_proxy::   Deploy certificates needed by Foreman Proxy
+#
+class certs::deploy (
+  Boolean $foreman_proxy = false,
+) {
+  class { 'certs::foreman_proxy':
+    generate => false,
+    deploy   => $foreman_proxy,
+  }
+
+  if $foreman_proxy {
+    Class['certs::foreman_proxy'] ~> Service['foreman-proxy']
+  }
+}
diff --git a/manifests/generate.pp b/manifests/generate.pp
new file mode 100644
index 00000000..9500741c
--- /dev/null
+++ b/manifests/generate.pp
@@ -0,0 +1,47 @@
+# Handles generating certificates
+#
+# === Parameters:
+#
+# $apache::   Generates certificates needed by Apache
+#
+# $foreman::   Generates certificates needed by Foreman
+#
+# $candlepin::   Generates certificates needed by Candlepin
+#
+# $foreman_proxy::   Generates certificates needed by Foreman Proxy
+#
+# $puppet::   Generates certificates needed by Puppet
+#
+class certs::generate (
+  Boolean $apache = false,
+  Boolean $foreman = false,
+  Boolean $candlepin = false,
+  Boolean $foreman_proxy = false,
+  Boolean $puppet = false,
+) {
+  class { 'certs::apache':
+    generate => $apache,
+    deploy   => false,
+  }
+
+  class { 'certs::foreman':
+    generate => $foreman,
+    deploy   => false,
+  }
+
+  class { 'certs::candlepin':
+    generate => $candlepin,
+    deploy   => false,
+    hostname => 'localhost',
+  }
+
+  class { 'certs::foreman_proxy':
+    generate => $foreman_proxy,
+    deploy   => false,
+  }
+
+  class { 'certs::puppet':
+    generate => $puppet,
+    deploy   => false,
+  }
+}
diff --git a/spec/acceptance/certs_generate_spec.rb b/spec/acceptance/certs_generate_spec.rb
new file mode 100644
index 00000000..2f7994ba
--- /dev/null
+++ b/spec/acceptance/certs_generate_spec.rb
@@ -0,0 +1,36 @@
+require 'spec_helper_acceptance'
+
+describe 'certs::foreman_proxy_content' do
+  fqdn = fact('fqdn')
+
+  before(:all) do
+    on default, 'rm -rf /root/ssl-build /etc/pki/katello'
+  end
+
+  context 'with foreman true' do
+    before(:context) do
+      manifest = <<~PUPPET
+        class { 'certs::generate':
+          foreman => true,
+        }
+      PUPPET
+
+      apply_manifest(manifest, catch_failures: true)
+    end
+
+    describe x509_certificate("/root/ssl-build/#{fqdn}/#{fqdn}-foreman-client.crt") do
+      it { should be_certificate }
+      it { should be_valid }
+      it { should have_purpose 'client' }
+      its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) }
+      its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) }
+      its(:keylength) { should be >= 4096 }
+    end
+
+    describe x509_private_key("/root/ssl-build/#{fqdn}/#{fqdn}-foreman-client.key") do
+      it { should_not be_encrypted }
+      it { should be_valid }
+      it { should have_matching_certificate("/root/ssl-build/#{fqdn}/#{fqdn}-foreman-client.crt") }
+    end
+  end
+end
diff --git a/spec/classes/certs_generate_spec.rb b/spec/classes/certs_generate_spec.rb
new file mode 100644
index 00000000..65e01a6f
--- /dev/null
+++ b/spec/classes/certs_generate_spec.rb
@@ -0,0 +1,75 @@
+require 'spec_helper'
+
+describe 'certs::generate' do
+  on_supported_os.each do |os, os_facts|
+    context "on #{os}" do
+      let :facts do
+        os_facts
+      end
+
+      describe 'with default parameters' do
+        it { should compile.with_all_deps }
+      end
+
+      describe 'with apache true' do
+        let :params do
+          { apache: true }
+        end
+
+        it { should compile.with_all_deps }
+
+        it do
+          is_expected.to contain_class('certs::apache')
+        end
+      end
+
+      describe 'with foreman true' do
+        let :params do
+          { foreman: true }
+        end
+
+        it { should compile.with_all_deps }
+
+        it do
+          is_expected.to contain_class('certs::foreman')
+        end
+      end
+
+      describe 'with candlepin true' do
+        let :params do
+          { candlepin: true }
+        end
+
+        it { should compile.with_all_deps }
+
+        it do
+          is_expected.to contain_class('certs::candlepin')
+        end
+      end
+
+      describe 'with foreman_proxy true' do
+        let :params do
+          { foreman_proxy: true }
+        end
+
+        it { should compile.with_all_deps }
+
+        it do
+          is_expected.to contain_class('certs::foreman_proxy')
+        end
+      end
+
+      describe 'with puppet true' do
+        let :params do
+          { puppet: true }
+        end
+
+        it { should compile.with_all_deps }
+
+        it do
+          is_expected.to contain_class('certs::puppet')
+        end
+      end
+    end
+  end
+end