diff --git a/qa/openldap-tests/build.gradle b/qa/openldap-tests/build.gradle
index eb843d17b0b..6aef9fa2892 100644
--- a/qa/openldap-tests/build.gradle
+++ b/qa/openldap-tests/build.gradle
@@ -10,25 +10,17 @@ dependencies {
     testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
 }
 
-processTestResources {
-    if (project.rootProject.vagrantSupported) {
-        dependsOn "openLdapFixture"
-    }
-}
-
-sourceSets {
-    test {
-        resources {
-            srcDirs += idpFixtureProject.file("src/main/resources/provision/generated")
-        }
-    }
-}
-
 task openLdapFixture {
     dependsOn "vagrantCheckVersion", "virtualboxCheckVersion", idpFixtureProject.up
 }
 
+String outputDir = "generated-resources/${project.name}"
+task copyIdpTrust(type: Copy) {
+    from idpFixtureProject.file('src/main/resources/certs/idptrust.jks');
+    into outputDir
+}
 if (project.rootProject.vagrantSupported) {
+  project.sourceSets.test.output.dir(outputDir, builtBy: copyIdpTrust)
   test.dependsOn openLdapFixture
   test.finalizedBy idpFixtureProject.halt
 } else {
@@ -39,3 +31,4 @@ namingConventions {
     // integ tests use Tests instead of IT
     skipIntegTestInDisguise = true
 }
+
diff --git a/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java b/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java
index b07324e09df..c6e10130db7 100644
--- a/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java
+++ b/qa/openldap-tests/src/test/java/org/elasticsearch/test/OpenLdapTests.java
@@ -53,7 +53,7 @@ public class OpenLdapTests extends ESTestCase {
 
     public static final String PASSWORD = "NickFuryHeartsES";
     private static final String HAWKEYE_DN = "uid=hawkeye,ou=people,dc=oldap,dc=test,dc=elasticsearch,dc=com";
-    public static final String LDAPTRUST_PATH = "/org/elasticsearch/xpack/security/authc/ldap/support/idptrust.jks";
+    public static final String LDAPTRUST_PATH = "/idptrust.jks";
     private static final SecureString PASSWORD_SECURE_STRING = new SecureString(PASSWORD.toCharArray());
 
     private boolean useGlobalSSL;
diff --git a/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java b/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java
index 4ebeec779a2..1292e8f2a30 100644
--- a/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java
+++ b/qa/openldap-tests/src/test/java/org/elasticsearch/xpack/security/authc/ldap/SearchGroupsResolverTests.java
@@ -175,6 +175,6 @@ import static org.hamcrest.Matchers.notNullValue;
 
     @Override
     protected String trustPath() {
-        return "/org/elasticsearch/xpack/security/authc/ldap/support/idptrust.jks";
+        return "/idptrust.jks";
     }
 }
\ No newline at end of file
diff --git a/qa/saml-idp-tests/build.gradle b/qa/saml-idp-tests/build.gradle
index 6c23adb68fc..2570cd6cc9b 100644
--- a/qa/saml-idp-tests/build.gradle
+++ b/qa/saml-idp-tests/build.gradle
@@ -18,8 +18,7 @@ task idpFixture {
 
 String outputDir = "generated-resources/${project.name}"
 task copyIdpCertificate(type: Copy) {
-    dependsOn idpFixture
-    from idpFixtureProject.file('src/main/resources/provision/generated/ca_server.pem');
+    from idpFixtureProject.file('src/main/resources/certs/ca.crt');
     into outputDir
 }
 if (project.rootProject.vagrantSupported) {
diff --git a/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java b/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java
index 433474ed6d1..15ce26128bc 100644
--- a/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java
+++ b/qa/saml-idp-tests/src/test/java/org/elasticsearch/xpack/security/authc/saml/SamlAuthenticationIT.java
@@ -551,7 +551,7 @@ public class SamlAuthenticationIT extends ESRestTestCase {
     }
 
     private SSLContext getClientSslContext() throws Exception {
-        final Path pem = getDataPath("/ca_server.pem");
+        final Path pem = getDataPath("/ca.crt");
         final Certificate[] certificates = CertUtils.readCertificates(Collections.singletonList(pem));
         final X509ExtendedTrustManager trustManager = CertUtils.trustManager(certificates);
         SSLContext context = SSLContext.getInstance("TLS");
diff --git a/test/idp-fixture/src/main/resources/certs/README.txt b/test/idp-fixture/src/main/resources/certs/README.txt
new file mode 100644
index 00000000000..3259198fd3a
--- /dev/null
+++ b/test/idp-fixture/src/main/resources/certs/README.txt
@@ -0,0 +1,15 @@
+File in this directory are:
+
+idp-ca.crt
+idp-ca.key
+    Description: A CA for the IdP
+    Generated Date: 2018-02-07
+    Command: bin/x-pack/certutil ca --ca-dn 'CN=idp-fixture,OU=elasticsearch,DC=elastic,DC=co' --days 5000 -keysize 1024 --out idp-ca.zip --pem
+    X-Pack Version: 6.2.0
+
+idptrust.jks
+    Description: Java Keystore Format of CA cert
+    Generated Date: 2018-02-07
+    Command: keytool -importcert -file ca.crt -alias idp-fixture-ca  -keystore idptrust.jks -noprompt -storepass changeit
+    Java Version: Java(TM) SE Runtime Environment (build 9.0.1+11)
+    
diff --git a/test/idp-fixture/src/main/resources/certs/ca.crt b/test/idp-fixture/src/main/resources/certs/ca.crt
new file mode 100644
index 00000000000..1ab8e866c17
--- /dev/null
+++ b/test/idp-fixture/src/main/resources/certs/ca.crt
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDEDCCAnmgAwIBAgIVAOLlDV8Lvg17LwKqchYKcsog1SyKMA0GCSqGSIb3DQEB
+CwUAMFsxEjAQBgoJkiaJk/IsZAEZFgJjbzEXMBUGCgmSJomT8ixkARkWB2VsYXN0
+aWMxFjAUBgNVBAsTDWVsYXN0aWNzZWFyY2gxFDASBgNVBAMTC2lkcC1maXh0dXJl
+MB4XDTE4MDIwNzAzMjAwNloXDTMxMTAxNzAzMjAwNlowWzESMBAGCgmSJomT8ixk
+ARkWAmNvMRcwFQYKCZImiZPyLGQBGRYHZWxhc3RpYzEWMBQGA1UECxMNZWxhc3Rp
+Y3NlYXJjaDEUMBIGA1UEAxMLaWRwLWZpeHR1cmUwgZ8wDQYJKoZIhvcNAQEBBQAD
+gY0AMIGJAoGBALWf8R7uGnrrmuQ26khwQ/81f+x57RgE1cHQGp0sBkwsijzZPpuU
+8ZkqYMNXG/LU2hNfAv4LeCsighgo4Le+TkBKncbucQcNM+dLINvhAfgYp9QAdGjk
+89hxWEQ6p/Tr98TG0Qd7jZa6bu8azMf7+bmjKpHaffIMpxDnkPZsaxodAgMBAAGj
+gc8wgcwwHQYDVR0OBBYEFDsd63fpzLH1G+aduhypBPctWuNNMIGZBgNVHSMEgZEw
+gY6AFDsd63fpzLH1G+aduhypBPctWuNNoV+kXTBbMRQwEgYDVQQDEwtpZHAtZml4
+dHVyZTEWMBQGA1UECxMNZWxhc3RpY3NlYXJjaDEXMBUGCgmSJomT8ixkARkWB2Vs
+YXN0aWMxEjAQBgoJkiaJk/IsZAEZFgJjb4IVAOLlDV8Lvg17LwKqchYKcsog1SyK
+MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAi1bfK31u7deMDLXv
+Axrg1nJjEzMjkb6F/tqA2hJCokvWz2sdKPLHfrfOu2edHm4qQABAdnmRtE/1xsYm
+xVuZA+O7khEkXv5ql65HIgCHL0hEvFWfKzMDCjgm+1rvNTMbgsRj2RGzEQeu/Aqg
+Nv2mnc0Vjk3kaAQ0JtmCI8k6fM0=
+-----END CERTIFICATE-----
diff --git a/test/idp-fixture/src/main/resources/certs/ca.key b/test/idp-fixture/src/main/resources/certs/ca.key
new file mode 100644
index 00000000000..9f93ff3b7ce
--- /dev/null
+++ b/test/idp-fixture/src/main/resources/certs/ca.key
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQC1n/Ee7hp665rkNupIcEP/NX/see0YBNXB0BqdLAZMLIo82T6b
+lPGZKmDDVxvy1NoTXwL+C3grIoIYKOC3vk5ASp3G7nEHDTPnSyDb4QH4GKfUAHRo
+5PPYcVhEOqf06/fExtEHe42Wum7vGszH+/m5oyqR2n3yDKcQ55D2bGsaHQIDAQAB
+AoGACfOsm5xCWS/ludGEftmf8DD3RHbd1e4V5FvJyYjrA2uBW5ovwwijQFhBGxL/
+1gtxs5QGLvNj70Ehzb8XqRnFYcrSUxkABCcO9vJf8wuamtPeaQzlSVSVM9myjkBu
+2EhegkFXSgFiVX6A/sxm8e8bqxxouz46Upa2/YLKhcb5oiECQQDb3HhP0hIx0oDj
+h1FXLACtbTlYUg8gGylD17RsWSPB765tOTt65/KztyH8BmdlTAKxIC5BHEQLYiug
+u3KwPEk5AkEA03qFxj/quoH6l0y7i8kah97KCtiM0kg4oXYDuSDIzt4NqdNw/UWx
+p3DGiIPpY5errR1ytyPiiuM2j+c5oUcMBQJAfC4SZkMos6tJ0Tlk3++iklHWyePP
+VzsAG6mB5pCSeb9+rYJd7hWEJ62QLGERlU1RV+ntNilY5XUVXzuAk7n5QQJBANLg
+31q0S9WVXRPYUT/v1kPcVi6Ah9P8bnQa4VWOqo8WABvzmz0DbUahf2eL2oQULv3e
+WpDi+Lk0HylaEi6PUR0CQQDHTzjyjuTLmnPw5AvZw7oQgilZxTUhOapw3Ihcq/KA
+T8oFnLwmnMs+kZOO6e2QcagXaFXufH1w/MvxhSjHj8SO
+-----END RSA PRIVATE KEY-----
diff --git a/test/idp-fixture/src/main/resources/certs/idptrust.jks b/test/idp-fixture/src/main/resources/certs/idptrust.jks
new file mode 100644
index 00000000000..fbd3135095f
Binary files /dev/null and b/test/idp-fixture/src/main/resources/certs/idptrust.jks differ
diff --git a/test/idp-fixture/src/main/resources/provision/roles/certs/tasks/main.yml b/test/idp-fixture/src/main/resources/provision/roles/certs/tasks/main.yml
index 07c378ed8c5..553b9eff5d7 100644
--- a/test/idp-fixture/src/main/resources/provision/roles/certs/tasks/main.yml
+++ b/test/idp-fixture/src/main/resources/provision/roles/certs/tasks/main.yml
@@ -16,12 +16,6 @@
     group: ssl-cert
     mode: 0777
 
-- name: Copy CA cert template
-  copy:
-    src: ca_server.conf
-    dest: "{{ ssl_dir_templates }}/ca_server.conf"
-    mode: 0666
-
 - name: Copy server cert template
   template:
     src: cert_server.conf.j2
@@ -34,32 +28,18 @@
     dest: "{{ ssl_dir_templates }}/keystore_server.conf"
     mode: 0666
 
-- name: Create CA Key
-  command: "certtool -p --outfile {{ ssl_dir_private }}/ca_server.key"
-  args:
-    creates: "{{ ssl_dir_private }}/ca_server.key"
+- name: Copy CA Cert
+  copy:
+    src: "../certs/ca.crt"
+    dest: "{{ ssl_dir_certs }}/ca_server.pem"
+    mode: 0666
+  register: copy_ca
 
-- name: Create CA Cert
-  command: "certtool -s --load-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/ca_server.conf --outfile {{ ssl_dir_certs }}/ca_server.pem"
-  args:
-    creates: "{{ ssl_dir_certs }}/ca_server.pem"
-
-- name: Fetch CA Cert
-  fetch:
-    src: "{{ ssl_dir_certs }}/ca_server.pem"
-    dest: "generated/"
-    flat: yes
-
-- name: Create CA JKS trust
-  command: "keytool -importcert -file {{ ssl_dir_certs }}/ca_server.pem -alias generated_ca_cert -keystore {{ ssl_dir_certs }}/idptrust.jks -noprompt -storepass changeit"
-  args:
-    creates: "{{ ssl_dir_certs }}/idptrust.jks"
-
-- name: Fetch CA JKS trust
-  fetch:
-    src: "{{ ssl_dir_certs }}/idptrust.jks"
-    dest: "generated/org/elasticsearch/xpack/security/authc/ldap/support/"
-    flat: yes
+- name: Copy CA Key
+  copy:
+    src: "../certs/ca.key"
+    dest: "{{ ssl_dir_private }}/ca_server.key"
+    mode: 0600
 
 - name: Create Key for LDAP Service
   command: "certtool -p --sec-param high --outfile {{ ssl_dir_private }}/{{ openldap_key_name }}"
@@ -72,6 +52,12 @@
     group: ssl-cert
     mode: 0640
 
+- name: Delete old LDAP cert
+  file:
+    path: "{{ ssl_dir_certs }}/{{ openldap_cert_name}}"
+    state: absent
+  when: copy_ca.changed
+
 - name: Create Cert for LDAP
   command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ openldap_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ openldap_cert_name}}"
   args:
@@ -88,15 +74,29 @@
     group: ssl-cert
     mode: 0640
 
+- name: Delete old Tomcat cert
+  file:
+    path: "{{ ssl_dir_certs }}/{{ tomcat_cert_name }}"
+    state: absent
+  when: copy_ca.changed
+
 - name: Create Cert for Tomcat
   command: "certtool -c --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-ca-privkey {{ ssl_dir_private }}/ca_server.key --template {{ ssl_dir_templates }}/cert_server.conf --outfile {{ ssl_dir_certs }}/{{ tomcat_cert_name}}"
   args:
     creates: "{{ ssl_dir_certs }}/{{ tomcat_cert_name}}"
+  register: tomcat_cert
+
+- name: Delete old Tomcat Keystore
+  file:
+    path: "{{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
+    state: absent
+  when: tomcat_cert.changed
 
 - name: Create Keystore for Tomcat
   command: "certtool --load-ca-certificate {{ ssl_dir_certs }}/ca_server.pem --load-privkey {{ ssl_dir_private }}/{{ tomcat_key_name }} --load-certificate {{ ssl_dir_certs }}/{{ tomcat_cert_name }} --template {{ ssl_dir_templates }}/keystore_server.conf --outder --to-p12 --outfile {{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
   args:
     creates: "{{ ssl_dir_private }}/{{ tomcat_keystore_name }}"
+  notify: Restart Tomcat Service
 
 - name: Set group for Tomcat Keystore
   file: