diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml
index 263dddf..93c6059 100644
--- a/defaults/main/1_main.yml
+++ b/defaults/main/1_main.yml
@@ -12,7 +12,8 @@ defaults_certs:
   cert:
     name:
     key_size: 4096  # 1024, 2048, 4096
-    key_type: 'RSA'
+    key_type: 'ECC'
+    curve: 'secp256r1'
     cipher: 'auto'
     digest: 'sha256'
     regenerate: 'partial_idempotence'
@@ -70,7 +71,8 @@ defaults_certs:
     path:
     valid_days: 7300
     key_size: 8192  # 1024, 2048, 4096, 8192
-    key_type: 'RSA'
+    key_type: 'ECC'
+    curve: 'secp256r1'
     cipher: 'auto'
     digest: 'sha512'
     regenerate: 'partial_idempotence'
diff --git a/tasks/internal/ca_minimal.yml b/tasks/internal/ca_minimal.yml
index acee325..65cdc7d 100644
--- a/tasks/internal/ca_minimal.yml
+++ b/tasks/internal/ca_minimal.yml
@@ -35,6 +35,7 @@
     cipher: "{{ config_ca.ca.cipher }}"
     size: "{{ config_ca.ca.key_size }}"
     type: "{{ config_ca.ca.key_type }}"
+    curve: "{{ config_ca.ca.curve }}"
     regenerate: "{{ config_ca.ca.regenerate }}"
     mode: "{{ config_ca.mode_key }}"
     owner: "{{ config_ca.owner_key }}"
@@ -48,6 +49,7 @@
     select_crypto_backend: "{{ config_ca.ca.backend }}"
     size: "{{ config_ca.ca.key_size }}"
     type: "{{ config_ca.ca.key_type }}"
+    curve: "{{ config_ca.ca.curve }}"
     regenerate: "{{ config_ca.ca.regenerate }}"
     mode: "{{ config_ca.mode_key }}"
     owner: "{{ config_ca.owner_key }}"
diff --git a/tasks/internal/cert.yml b/tasks/internal/cert.yml
index 401a54c..e582264 100644
--- a/tasks/internal/cert.yml
+++ b/tasks/internal/cert.yml
@@ -23,6 +23,7 @@
     cipher: "{{ config_cert.cert.cipher }}"
     size: "{{ config_cert.cert.key_size }}"
     type: "{{ config_cert.cert.key_type }}"
+    curve: "{{ config_cert.cert.curve }}"
     passphrase: "{{ config_cert.cert.pwd }}"
     regenerate: "{{ config_cert.cert.regenerate }}"
     mode: "{{ config_cert.mode_key }}"
@@ -37,6 +38,7 @@
     select_crypto_backend: "{{ config_cert.cert.backend }}"
     size: "{{ config_cert.cert.key_size }}"
     type: "{{ config_cert.cert.key_type }}"
+    curve: "{{ config_cert.cert.curve }}"
     regenerate: "{{ config_cert.cert.regenerate }}"
     mode: "{{ config_cert.mode_key }}"
     owner: "{{ config_cert.owner_key }}"
diff --git a/tasks/snakeoil.yml b/tasks/snakeoil.yml
index 34bcfb9..e560f34 100644
--- a/tasks/snakeoil.yml
+++ b/tasks/snakeoil.yml
@@ -25,27 +25,57 @@
     CERT_CONFIG.cert.ips | length > 0 or
     CERT_CONFIG.cert.san_other
 
-- name: Certificates | Snakeoil | Build command
+- name: Certificates | Snakeoil | Build command 1/2
   ansible.builtin.set_fact:
-    cert_cmd: "openssl req -x509 -newkey rsa:{{ CERT_CONFIG.cert.key_size }} -sha256 -nodes \
-      {% if CERT_CONFIG.cert.cn | default(none, true) is not none %}
-      -subj \"/CN={{ CERT_CONFIG.cert.cn }}\" \
-      {% endif %}
-      {% if cert_san | default(none, true) is not none %}
-      -addext \"subjectAltName = {{ cert_san | replace(' ', '') }}\" \
-      {% endif %}
-      -keyout {{ _cert_key }} -out {{ _cert_pub }} \
-      -days {{ CERT_CONFIG.cert.valid_days }}"
-    cert_pub: "{{ _cert_pub }}"
-  vars:
-    _cert_pub: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_cert }}"
-    _cert_key: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_key }}"
+    cert_pub: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_cert }}"
+    cert_key: "{{ CERT_CONFIG.path }}/{{ name | default(CERT_CONFIG.cert.name) }}.{{ CERT_CONFIG.extension_key }}"
+    cert_attrs: "-days {{ CERT_CONFIG.cert.valid_days }} \
+    {% if CERT_CONFIG.cert.cn | default(none, true) is not none %}\
+    -subj \"/CN={{ CERT_CONFIG.cert.cn }}\"
+    {% endif %}\
+    {% if cert_san | default(none, true) is not none %}
+    -addext \"subjectAltName = {{ cert_san | replace(' ', '') }}\" \
+    {% endif %}"
 
-- name: Certificates | Snakeoil | Certificate command
+- name: Certificates | Snakeoil | Build command 2/2 (RSA)
+  ansible.builtin.set_fact:
+    cert_cmd_rsa: "openssl req -x509 -newkey rsa:{{ CERT_CONFIG.cert.key_size }} -sha256 -nodes {{ cert_attrs }} \
+    -keyout {{ cert_key }} -out {{ cert_pub }}"
+  when: CERT_CONFIG.cert.key_type == 'RSA'
+
+- name: Certificates | Snakeoil | Build command 2/2 (ECC)
+  ansible.builtin.set_fact:
+    cert_cmd_ecc1: "openssl ecparam -out {{ cert_key }} -name {{ CERT_CONFIG.cert.curve }} -genkey"
+    cert_cmd_ecc2: "openssl req -new -x509 -nodes -key {{ cert_key }} -out {{ cert_pub }} {{ cert_attrs }}"
+  when: CERT_CONFIG.cert.key_type == 'ECC'
+
+- name: Certificates | Snakeoil | Certificate command (RSA)
   ansible.builtin.debug:
-    var: cert_cmd
+    var: cert_cmd_rsa
+  when: CERT_CONFIG.cert.key_type == 'RSA'
 
-- name: Certificates | Snakeoil | Create Certificate
-  ansible.builtin.command: "{{ cert_cmd }}"
+- name: Certificates | Snakeoil | Certificate commands (ECC)
+  ansible.builtin.debug:
+    var: "{{ item }}"
+  loop:
+    - cert_cmd_ecc1
+    - cert_cmd_ecc2
+  when: CERT_CONFIG.cert.key_type == 'ECC'
+
+- name: Certificates | Snakeoil | Create Certificate (RSA)
+  ansible.builtin.command: "{{ cert_cmd_rsa }}"
   args:
     creates: "{{ cert_pub }}"
+  when: CERT_CONFIG.cert.key_type == 'RSA'
+
+- name: Certificates | Snakeoil | Create Key (ECC)
+  ansible.builtin.command: "{{ cert_cmd_ecc1 }}"
+  args:
+    creates: "{{ cert_key }}"
+  when: CERT_CONFIG.cert.key_type == 'ECC'
+
+- name: Certificates | Snakeoil | Create Certificate (ECC)
+  ansible.builtin.command: "{{ cert_cmd_ecc2 }}"
+  args:
+    creates: "{{ cert_pub }}"
+  when: CERT_CONFIG.cert.key_type == 'ECC'