diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index c50c4d97abe311127956cba7fe7cfc75c1089f4f..5f36c34ce430a3dacf1ac52fc6719ced38726e72 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -916,6 +916,7 @@ The role implements the following:
 * Adds website administrator to website's group, so administrator could manage
   the code and data.
 * Installs additional packages required for running the role (as configured).
+* Deploys the HTTPS TLS private key and certificate (for website vhost).
 * Configures PHP FPM and nginx to serve the website.
 
 The role is implemented with the following layout/logic in mind:
@@ -965,6 +966,14 @@ Parameters
   succession, until the first match, or until it runs out of matches, when a
   client requests an URI pointing to directory. Default is ``index.php``.
 
+**https_tls_certificate** (string, mandatory)
+  Path to file on Ansible host that contains the X.509 certificate used for TLS
+  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
+
+**https_tls_key** (string, mandatory)
+  Path to file on Ansible host that contains the private key used for TLS for
+  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
+
 **php_file_regex** (string, optional)
   Regular expression used for determining which file should be interepted via
   PHP. Default is ``\.php$``.
@@ -1020,6 +1029,8 @@ running *ownCloud* and *The Bug Genie* applications):
         - php5-json
         - php5-mysql
         - php5-curl
+      https_tls_key: "{{ inventory_dir }}/tls/cloud.example.com_https.key"
+      https_tls_certificate: "{{ inventory_dir }}/tls/cloud.example.com_https.pem"
     - role: php_website
       admin: admin
       deny_files_regex:
@@ -1028,7 +1039,8 @@ running *ownCloud* and *The Bug Genie* applications):
         - ^(.*) /index.php?url=$1
       fqdn: tbg.example.com
       uid: 2007
-
+      https_tls_key: "{{ inventory_dir }}/tls/tbg.example.com_https.key"
+      https_tls_certificate: "{{ inventory_dir }}/tls/tbg.example.com_https.pem"
 
 
 WSGI Website
@@ -1058,6 +1070,7 @@ The role implements the following:
 * Installs additional packages required for running the role in Python virtual
   environment (as configured).
 * Configures systemd to run the website code (using Gunicorn)
+* Deploys the HTTPS TLS private key and certificate (for website vhost).
 * Configures nginx to serve the website (static files served directly, requests
   passed on to Gunicorn).
 
@@ -1103,6 +1116,14 @@ Parameters
   for calculating the user/group name for dedicated website user, as well as
   home directory of the website user (where data/code should be stored at).
 
+**https_tls_certificate** (string, mandatory)
+  Path to file on Ansible host that contains the X.509 certificate used for TLS
+  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
+
+**https_tls_key** (string, mandatory)
+  Path to file on Ansible host that contains the private key used for TLS for
+  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
+
 **packages** (list, optional)
   A list of additional packages to install for this particular WSGI
   website. This is usually going to be development libraries for building Python
@@ -1147,8 +1168,6 @@ running a bare Django project):
 
 .. code-block:: yaml
 
-    ---
-
     - role: wsgi_website
       admin: admin
       fqdn: django.example.com
@@ -1159,3 +1178,5 @@ running a bare Django project):
       virtualenv_packages:
         - django
       wsgi_application: django_example_com.wsgi:application
+      https_tls_key: "{{ inventory_dir }}/tls/wsgi.example.com_https.key"
+      https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.example.com_https.pem"
diff --git a/roles/php_website/tasks/main.yml b/roles/php_website/tasks/main.yml
index 24251388d58b6333c4562a56b066c90d13f99713..51b5bd0a27d40127fe3d0c52a729765930961240 100644
--- a/roles/php_website/tasks/main.yml
+++ b/roles/php_website/tasks/main.yml
@@ -32,6 +32,18 @@
   notify:
     - Restart php5-fpm
 
+- name: Deploy nginx TLS private key for website
+  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
+        mode=640 owner=root group=root
+  notify:
+    - Restart nginx
+
+- name: Deploy nginx TLS certificate for website
+  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
+        mode=644 owner=root group=root
+  notify:
+    - Restart nginx
+
 - name: Deploy nginx configuration file for website
   template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}"
             owner=root group=root mode=640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
diff --git a/roles/php_website/templates/nginx_site.j2 b/roles/php_website/templates/nginx_site.j2
index d6ab61ed76ecba0cb7b815970ad4f3baadbff47e..d9a8f1486e660e50e92d92f18599276c1192cf66 100644
--- a/roles/php_website/templates/nginx_site.j2
+++ b/roles/php_website/templates/nginx_site.j2
@@ -1,10 +1,18 @@
 server {
     # Base settings.
-    listen 80;
     root {{ home }}/htdocs/;
     index {{ index }};
     server_name {{ fqdn }};
 
+    # HTTP (plaintext) configuration.
+    listen 80;
+
+    # HTTPS (TLS) configuration.
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
+    ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
+
     {% if rewrites -%}
     # Generic URL rewrites.
     {% for rewrite in rewrites -%}
diff --git a/roles/wsgi_website/tasks/main.yml b/roles/wsgi_website/tasks/main.yml
index 244d9d92006ce63a9056fb05030480276e91fa6d..2490dbca64dc32e7d688541238057e658f477a9f 100644
--- a/roles/wsgi_website/tasks/main.yml
+++ b/roles/wsgi_website/tasks/main.yml
@@ -81,6 +81,18 @@
   file: path="{{ home }}/htdocs/" state=directory
         owner="{{ admin }}" group="{{ user }}" mode="2750"
 
+- name: Deploy nginx TLS private key for website
+  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
+        mode=640 owner=root group=root
+  notify:
+    - Restart nginx
+
+- name: Deploy nginx TLS certificate for website
+  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
+        mode=644 owner=root group=root
+  notify:
+    - Restart nginx
+
 - name: Deploy nginx configuration file for website
   template: src="nginx_site.j2" dest="/etc/nginx/sites-available/{{ fqdn }}"
             owner=root group=root mode=640 validate="/usr/local/bin/nginx_verify_site.sh -n '{{ fqdn }}' %s"
diff --git a/roles/wsgi_website/templates/nginx_site.j2 b/roles/wsgi_website/templates/nginx_site.j2
index fa96494fceba87997bb257b2019d6ecfc9fd1dde..abdcd17812fdd87b0b093520e166ecba34fbc0b9 100644
--- a/roles/wsgi_website/templates/nginx_site.j2
+++ b/roles/wsgi_website/templates/nginx_site.j2
@@ -1,10 +1,17 @@
 server {
-    listen 80;
-
+    # Base settings.
     root {{ home }}/htdocs/;
-
     server_name {{ fqdn }};
 
+    # HTTP (plaintext) configuration.
+    listen 80;
+
+    # HTTPS (TLS) configuration.
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
+    ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
+
     {% if rewrites -%}
     # Site rewrites.
     {% for rewrite in rewrites -%}