diff --git a/base.yml b/base.yml
index 9f9df55..2e44e1e 100644
--- a/base.yml
+++ b/base.yml
@@ -2,9 +2,6 @@
 - hosts: all
   roles:
   - base
-  - role: ssh-host-certs
-    tags: ssh-host-certs
-  - ssh-user-ca
 - hosts: kvm-guest
   roles:
   - serial-console
diff --git a/bootstrap.yml b/bootstrap.yml
index d61e691..36d49a3 100644
--- a/bootstrap.yml
+++ b/bootstrap.yml
@@ -2,3 +2,5 @@
 - import_playbook: hostname.yml
 - import_playbook: base.yml
 - import_playbook: firewalld.yml
+- import_playbook: ssh-host-certs.yml
+- import_playbook: ssh-user-ca.yml
diff --git a/ssh-host-certs.yml b/ssh-host-certs.yml
new file mode 100644
index 0000000..cde7eb1
--- /dev/null
+++ b/ssh-host-certs.yml
@@ -0,0 +1,4 @@
+- hosts: '!vps'
+  roles:
+  - role: ssh-host-certs
+    tags: ssh-host-certs
diff --git a/ssh-user-ca.yml b/ssh-user-ca.yml
new file mode 100644
index 0000000..e37547a
--- /dev/null
+++ b/ssh-user-ca.yml
@@ -0,0 +1,3 @@
+- hosts: all
+  roles:
+  - ssh-user-ca