diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 059925aa284cc862635b7e4b8b195ab9f8c68e55..8c79b7a2d9cc151c4d5babcb4cbd4bdc56a80ac2 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -2,6 +2,28 @@ Role Reference
 ==============
 
 
+Common parameters
+-----------------
+
+A number of common parameters are used by all of the roles during
+deployment. This section lists such parameters.
+
+**tls_private_key_dir** (string, optional, ``tls/``)
+  Path to directory on Ansible host that contains the private keys used by
+  services deployed by various roles. When TLS key path is not explicitly
+  defined in a role, this is the directory where the TLS key will be looked-up
+  during Ansible run. Expected filename pattern is ``FQDN_SERVICE.key`` (for
+  example, ``mail.example.com_smtp.key`` or ``xmpp.example.com_xmpp.key``).
+
+**tls_certificate_dir** (string, mandatory if ``ldap_server_tls_certificate`` is not defined)
+  Path to directory on Ansible host that contains the X.509 certificate files
+  used by services deployed by various roles. When X.509 certificate path is not
+  explicitly defined in a role, this is the directory where the X.509
+  certificate will be looked-up during Ansible run. Expected filename pattern is
+  ``FQDN_SERVICE.pem`` (for example, ``mail.example.com_smtp.pem`` or
+  ``xmpp.example.com_xmpp.pem``).
+
+
 Preseed
 -------
 
@@ -464,11 +486,11 @@ Parameters
   <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value
   description and syntax.
 
-**ldap_server_tls_certificate** (string, optional, ``/etc/ssl/certs/FQDN_ldap.pem``)
+**ldap_server_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/FQDN_ldap.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for LDAP service. The file will be copied to directory ``/etc/ssl/certs/``.
 
-**ldap_server_tls_key** (string, optional, ``/etc/ssl/private/FQDN_ldap.key``)
+**ldap_server_tls_key** (string, optional, ``{{ tls_private_key_dir }}/FQDN_ldap.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
 
@@ -569,11 +591,11 @@ Parameters
   Prosody. Each item is a string with value equal to XMPP user ID
   (i.e. ``john.doe@example.com``).
 
-**xmpp_tls_key** (string, mandatory)
+**xmpp_tls_key** (string, optional, ``{{ tls_private_key_dir }}/FQDN_xmpp.key``)
   Path to file on Ansible host that contains the private key used for TLS for
   XMPP service. The file will be copied to directory ``/etc/ssl/private/``.
 
-**xmpp_tls_certificate** (string, mandatory)
+**xmpp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/FQDN_xmpp.pem``)
   Path to file on Ansible host that contains the X.509 certificate used for TLS
   for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 
diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml
index c7df45d41ebc57b2cd57d46c89ad77b8a6338be0..51162356e9897526be52571e0b0094726b5f9855 100644
--- a/roles/ldap_server/defaults/main.yml
+++ b/roles/ldap_server/defaults/main.yml
@@ -6,8 +6,8 @@ ldap_server_domain: "{{ ansible_facts[host]['domain'] }}"
 ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
 ldap_server_organization: "Private"
 ldap_server_log_level: 256
-ldap_server_tls_certificate: "/etc/ssl/certs/{{ ansible_facts[host]['fqdn'] }}_ldap.pem"
-ldap_server_tls_key: "/etc/ssl/private/{{ ansible_facts[host]['fqdn'] }}_ldap.key"
+ldap_server_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_ldap.pem"
+ldap_server_tls_key: "{{ tls_private_key_dir }}/{{ ansible_facts[host]['fqdn'] }}_ldap.key"
 ldap_server_ssf: 128
 ldap_permissions:
   - >
diff --git a/roles/xmpp_server/defaults/main.yml b/roles/xmpp_server/defaults/main.yml
index 43cd1cbd3c394b7fdbc3e7d4f38161aed3e9d0af..1a96a29433373daeb72f8375f221b6afa1018d23 100644
--- a/roles/xmpp_server/defaults/main.yml
+++ b/roles/xmpp_server/defaults/main.yml
@@ -4,3 +4,5 @@ xmpp_domains: "{{ ansible_facts[host]['domain'] }}"
 xmpp_ldap_filter: '(mail=$user@$host)'
 xmpp_ldap_scope: subtree
 xmpp_ldap_base: "{{ ansible_facts[host]['domain'] | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
+xmpp_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_facts[host]['fqdn'] }}_xmpp.pem"
+xmpp_tls_key: "{{ tls_private_key_dir }}/{{ ansible_facts[host]['fqdn'] }}_xmpp.key"