diff --git a/roles/freeipa_server_enrolled_tls/README.md b/roles/freeipa_server_enrolled_tls/README.md
index ed0cf219..16546a46 100644
--- a/roles/freeipa_server_enrolled_tls/README.md
+++ b/roles/freeipa_server_enrolled_tls/README.md
@@ -33,6 +33,8 @@ None.
 | `enrolled_cert_key_path` | `path` | `False` | `/etc/pki/tls/private/host.key` | The path on the target host to save the generated private key file. |
 | `enrolled_cert_csr_path` | `path` | `False` | `/etc/pki/tls/private/host.csr` | The path on the target host to save the generated CSR file. |
 | `enrolled_cert_path` | `path` | `False` | `/etc/pki/tls/certs/host.crt` | The path on the target host to save the issued TLS certificate. |
+| `enrolled_cert_owner` | `str` | `False` |  | Owner (user) for the generated certificate and private key files. |
+| `enrolled_cert_group` | `str` | `False` |  | Group for the generated certificate and private key files. |
 
 ## Example Playbook
 
@@ -47,6 +49,19 @@ None.
         ipaadmin_password: "password"
         enrolled_cert_key_path: "/etc/pki/tls/private/gateway.key"
         enrolled_cert_path: "/etc/pki/tls/certs/gateway.crt"
+
+- hosts: enrolled_hosts
+  tasks:
+    - name: Issue a TLS certificate and private key for PostgreSQL service
+      ansible.builtin.import_role:
+        name: freeipa_server_enrolled_tls
+      vars:
+        enrolled_hostname: "postgres.example.internal"
+        ipaladmin_password: "password"
+        enrolled_cert_key_path: "/etc/pki/tls/private/postgres.key"
+        enrolled_cert_path: "/etc/pki/tls/certs/postgres.crt"
+        enrolled_cert_owner: "postgres"
+        enrolled_cert_group: "postgres"
 ```
 
 ## License
diff --git a/roles/freeipa_server_enrolled_tls/defaults/main.yml b/roles/freeipa_server_enrolled_tls/defaults/main.yml
index 187666c8..76b16737 100644
--- a/roles/freeipa_server_enrolled_tls/defaults/main.yml
+++ b/roles/freeipa_server_enrolled_tls/defaults/main.yml
@@ -20,3 +20,5 @@ enrolled_principal_type: host
 enrolled_cert_key_path: "/etc/pki/tls/private/host.key"
 enrolled_cert_csr_path: "/etc/pki/tls/private/host.csr"
 enrolled_cert_path: "/etc/pki/tls/certs/host.crt"
+# enrolled_file_owner: ""
+# enrolled_file_group: ""
diff --git a/roles/freeipa_server_enrolled_tls/meta/argument_specs.yml b/roles/freeipa_server_enrolled_tls/meta/argument_specs.yml
index 0e69c05b..84fec364 100644
--- a/roles/freeipa_server_enrolled_tls/meta/argument_specs.yml
+++ b/roles/freeipa_server_enrolled_tls/meta/argument_specs.yml
@@ -52,3 +52,13 @@ argument_specs:
           - The type of principal for certificate request (e.g., host, service).
         type: str
         default: host
+      enrolled_file_owner:
+        description:
+          - Owner (user) for the generated certificate and private key files.
+        type: str
+        required: false
+      enrolled_file_group:
+        description:
+          - Group for the generated certificate and private key files.
+        type: str
+        required: false
diff --git a/roles/freeipa_server_enrolled_tls/tasks/main.yml b/roles/freeipa_server_enrolled_tls/tasks/main.yml
index 96052fcc..eb98bf3e 100644
--- a/roles/freeipa_server_enrolled_tls/tasks/main.yml
+++ b/roles/freeipa_server_enrolled_tls/tasks/main.yml
@@ -34,3 +34,20 @@
     principal: "{{ enrolled_principal_type }}/{{ enrolled_hostname }}"
     certificate_out: "{{ enrolled_cert_path }}"
     state: requested
+
+- name: Set file ownership for certificate and key
+  when: enrolled_file_owner is defined and enrolled_file_group is defined
+  block:
+    - name: Set ownership for private key file
+      ansible.builtin.file:
+        path: "{{ enrolled_cert_key_path }}"
+        owner: "{{ enrolled_file_owner }}"
+        group: "{{ enrolled_file_group }}"
+        mode: "0400"
+
+    - name: Set ownership for certificate file
+      ansible.builtin.file:
+        path: "{{ enrolled_cert_path }}"
+        owner: "{{ enrolled_file_owner }}"
+        group: "{{ enrolled_file_group }}"
+        mode: "0644"