diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 29ff6f1ef50cfccf4580d9d952ea3cf16a1af06c..817ac46610e2e0560d358f99851fb703890828d3 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -358,6 +358,7 @@ destination machine.
 
 The role implements the following:
 
+* Deploys LDAP TLS private key and certificate.
 * Installs OpenLDAP server (package ``slapd``).
 * Configures OpenLDAP server (base DN - domain, organisation, TLS, SSF, log levels).
 * Sets-up separate log file for OpenLDAP server at ``/var/log/slapd.log`` (with
@@ -395,15 +396,13 @@ Parameters
     description and syntax.
 
   **tls_certificate** (string, mandatory)
-    Path to *X.509* certificate (on server itself) that should be used as server
-    certificate for TLS connections. The certificate file should be provided in
-    ``PEM`` format. If file does not exist, no TLS will be set-up.
+    Path to file on Ansible host that contains the X.509 certificate used for
+    TLS for LDAP service. The file will be copied to directory
+    ``/etc/ssl/certs/``.
 
   **tls_key** (string, mandatory)
-    Path to private key (on server itself) that should be used as server's
-    private key for TLS connections. The private key should correspond to
-    certificate listed in option ``tls_certificate``. The key file should be
-    provided in ``PEM`` format. If file does not exist, no TLS will be set-up.
+    Path to file on Ansible host that contains the private key used for TLS for
+    LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
 
   **ssf** (number, mandatory)
     Minimum *Security Strength Factor* to require from all incoming
@@ -449,8 +448,8 @@ Here is an example configuration for setting-up LDAP server:
     domain: "example.com"
     organization: "Example Corporation"
     log_level: 256
-    tls_certificate: /etc/ssl/certs/ldap.example.com.pem
-    tls_key: /etc/ssl/private/ldap.example.com.pem
+    tls_certificate: ~/tls/ldap.example.com_ldap.pem
+    tls_key: ~/tls/ldap.example.com_ldap.key
     ssf: 128
   
   ldap_permissions:
@@ -502,6 +501,7 @@ destination machine.
 The role implements the following:
 
 * Sets-up the Prosody apt repository.
+* Deploys XMPP TLS private key and certificate.
 * Installs Prosody.
 * Configures Prosody.
 
@@ -530,15 +530,12 @@ Parameters
   (i.e. ``john.doe@example.com``).
 
 **prosody_tls_key** (string, mandatory)
-  Path to private key (on server itself) that should be used as server's private
-  key for TLS connections. The private key should correspond to certificate
-  listed in option ``prosody_tls_certificate``. The key file should be provided
-  in ``PEM`` format.
+  Path to file on Ansible host that contains the private key used for TLS for
+  XMPP service. The file will be copied to directory ``/etc/ssl/private/``.
 
 **prosody_tls_certificate** (string, mandatory)
-  Path to *X.509* certificate (on server itself) that should be used as server
-  certificate for TLS connections. The certificate file should be provided in
-  ``PEM`` format.
+  Path to file on Ansible host that contains the X.509 certificate used for TLS
+  for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 
 **prosody_domains** (list, mandatory)
   List of domains that are served by this Prosody instance. Each item is a
@@ -615,6 +612,7 @@ The role implements the following:
 
 * Installs rsync.
 * Adds the Wheezy backports repository.
+* Deploys IMAP/SMTP TLS private keys and certificates.
 * Installs and configures Dovecot (from backports), Postfix, ClamAV, and ClamAV
   Milter.
 * Purges Exim4 configuration (just in case).
@@ -681,19 +679,22 @@ Parameters
   GID of the user that owns all the mail files.
 
 **imap_tls_certificate** (string, mandatory)
-  Path to file that contains the X.509 certificate used for TLS for IMAP and
-  ManageSieve services.
+  Path to file on Ansible host that contains the X.509 certificate used for TLS
+  for IMAP and ManageSieve services. The file will be copied to directory
+  ``/etc/ssl/certs/``.
 
 **imap_tls_key** (string, mandatory)
-  Path to file that contains the private key used for TLS for IMAP and
-  ManageSieve services.
+  Path to file on Ansible host that contains the private key used for TLS for
+  IMAP and ManageSieve services. The file will be copied to directory
+  ``/etc/ssl/private/``.
 
 **smtp_tls_certificate** (string, mandatory)
-  Path to file that contains the X.509 certificate used for TLS for SMTP
-  service.
+  Path to file on Ansible host that contains the X.509 certificate used for TLS
+  for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
 
 **smtp_tls_key** (string, mandatory)
-  Path to file that contains the private key used for TLS for SMTP service.
+  Path to file on Ansible host that contains the private key used for TLS for
+  SMTP service. The file will be copied to directory ``/etc/ssl/private/``.
 
 **imap_folder_separator** (string, mandatory)
   Character used for separating the IMAP folders when clients are requesting
@@ -732,10 +733,10 @@ Here is an example configuration for setting-up XMPP server using Prosody:
   mail_user_uid: 5000
   mail_user_gid: 5000
 
-  imap_tls_certificate: /etc/ssl/certs/mail.example.com_imap.pem
-  imap_tls_key: /etc/ssl/private/mail.example.com_imap.pem
-  smtp_tls_certificate: /etc/ssl/certs/mail.example.com_smtp.pem
-  smtp_tls_key: /etc/ssl/private/mail.example.com_smtp.pem
+  imap_tls_certificate: ~/tls/mail.example.com_imap.pem
+  imap_tls_key: ~/tls/mail.example.com_imap.key
+  smtp_tls_certificate: ~/tls/mail.example.com_smtp.pem
+  smtp_tls_key: ~/tls/mail.example.com_smtp.key
   imap_folder_separator: /
   smtp_rbl:
     - bl.spamcop.net