diff --git a/group_vars/default/pvc.yml b/group_vars/default/pvc.yml
index 0c63820..1eb4138 100644
--- a/group_vars/default/pvc.yml
+++ b/group_vars/default/pvc.yml
@@ -22,17 +22,30 @@
 #pvc_fence_failed_action: None           # What to do with VMs when a fence is failed (migrate, None) - migrate is DANGEROUS without pvc_suicide_intervals set to < pvc_fence_intervals
 #pvc_fence_migrate_target_selector: mem  # The selector to use for migrating VMs after a fence
 
-# Client API configuration
+# Client API basic configuration
 pvc_api_listen_address: "{{ pvc_upstream_floatingip }}"
 pvc_api_listen_port: "7370"
+pvc_api_secret_key: ""                      # Use pwgen to generate
+
+# Client API user tokens
+# Create a token (random UUID or password) for each user you wish to have access to the PVC API.
+# The first token will always be used for the "local" connection, and thus at least one token MUST be defined.
 pvc_api_enable_authentication: True
-pvc_api_secret_key: ""
 pvc_api_tokens:
   - description: "myuser"
     token: "a3945326-d36c-4024-83b3-2a8931d7785a"
+
+# PVC API SSL configuration
+# Use these options to enable SSL for the API listener, providing security over WAN connections.
+# There are two options for defining the SSL certificate and key to use:
+#   a) Set both pvc_api_ssl_cert_path and pvc_api_ssl_key_path to paths to an existing SSL combined (CA + cert) certificate and key, respectively, on the system.
+#   b) Set both pvc_api_ssl_cert and pvc_api_ssl_key to the raw PEM-encoded contents of an SSL combined (CA + cert) certificate and key, respectively, which will be installed under /etc/pvc.
+# If the _path options are non-empty, the raw entries are ignored and will not be used.
 pvc_api_enable_ssl: False
+pvc_api_ssl_cert_path:
 pvc_api_ssl_cert: >
   # A RAW CERTIFICATE FILE, installed to /etc/pvc/api-cert.pem
+pvc_api_ssl_key_path:
 pvc_api_ssl_key: >
   # A RAW KEY FILE, installed to /etc/pvc/api-key.pem
 
diff --git a/roles/pvc/tasks/pvc/main.yml b/roles/pvc/tasks/pvc/main.yml
index e806db9..5ad1c50 100644
--- a/roles/pvc/tasks/pvc/main.yml
+++ b/roles/pvc/tasks/pvc/main.yml
@@ -27,7 +27,7 @@
     dest: /etc/pvc/api-cert.pem
     mode: 0644
   no_log: True
-  when: pvc_api_enable_ssl
+  when: pvc_api_enable_ssl and not pvc_api_ssl_cert_path
 
 - name: install API SSL key file
   copy:
@@ -35,7 +35,7 @@
     dest: /etc/pvc/api-key.pem
     mode: 0640
   no_log: True
-  when: pvc_api_enable_ssl
+  when: pvc_api_enable_ssl and not pvc_api_ssl_key_path
 
 - name: stop and disable unneccessary services
   service:
diff --git a/roles/pvc/templates/pvc/pvcapid.yaml.j2 b/roles/pvc/templates/pvc/pvcapid.yaml.j2
index bb51696..9502933 100644
--- a/roles/pvc/templates/pvc/pvcapid.yaml.j2
+++ b/roles/pvc/templates/pvc/pvcapid.yaml.j2
@@ -30,9 +30,17 @@ pvc:
             # enabled: Enabled or disable SSL operation (True/False)
             enabled: {{ pvc_api_enable_ssl }}
             # cert_file: SSL certificate file
+{% if pvc_api_ssl_cert_path is defined and pvc_api_ssl_cert_path %}
+            cert_file: "{{ pvc_api_ssl_cert_path }}"
+{% else %}
             cert_file: "/etc/pvc/api-cert.pem"
+{% endif %}
             # key_file: SSL certificate key file
+{% if pvc_api_ssl_key_path is defined and pvc_api_ssl_key_path %}
+            key_file: "{{ pvc_api_ssl_key_path }}"
+{% else %}
             key_file: "/etc/pvc/api-key.pem"
+{% endif %}
     # provisioner: Configuration of the Provisioner API listener
     provisioner:
         # database: Backend database configuration