diff --git a/.gitignore b/.gitignore
index 4216fa0..f4fd862 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 inventory/generated
 *.retry
 
+pki/
diff --git a/README.md b/README.md
index b19b43e..b1aa750 100644
--- a/README.md
+++ b/README.md
@@ -17,25 +17,50 @@ You can run the following command to check if you've missed something (don't wor
 ansible-playbook kthw-playbook.yml -t check_local_prerequisites -l localhost
 ```
 
-# setup
-- run `vagrant up` to start the vms. This will create a master node and 2 worker nodes on your host's network
 
-- setup a container runtime on the nodes
+# Root Certificate Authority
+Kubernetes components implement a certificates based authentication mecanism (non revoked client certficates signed with a server's key are  valid credentials).
+Etcd also implements such a mecanism.
+
+We need a root Certificate Authority to :
+  * enable authentication to the kubernetes api server.
+  * enable authentication to the etcd cluster.
+
+To generate it, run 
+```sh
+ansible-playbook kthw-playbook.yml -t generate_the_root_ca -l localhost
+```
+
+# Infrastructure
+- provision the vms the kubernetes cluster will be running on:
+```sh
+vagrant up
+```
+
+# CRI-compatible container runtime
+- setup a CRI-compatible container runtime on these VMs
 ```sh
 ansible-playbook kthw-playbook.yml -t install_container_runtime -l k8s_nodes
 ```
 
-- install kubelet, kube-proxy, apiserver, scheduler and native controllers on the master nodes
+# Etcd cluster
+- download etcd
 ```sh
-ansible-playbook kthw-playbook.yml -t install_kubernetes_master_components -l masters
+ansible-playbook kthw-playbook.yml -t download_etcd -l etcd_peers
 ```
 
-- install kubelet & kube-proxy on the worker nodes
+# Kubernetes Control Plane
+
+- download kubelet, kube-proxy, apiserver, scheduler and native controllers on the master nodes
 ```sh
-ansible-playbook kthw-playbook.yml -t install_kubernetes_worker_components -l workers
+ansible-playbook kthw-playbook.yml -t download_kubernetes_control_plane -l masters
 ```
 
-- install etcd on the master nodes
+# Kubernetes worker nodes
+- download kubelet & kube-proxy on the worker nodes
 ```sh
-ansible-playbook kthw-playbook.yml -t install_etcd -l masters
+ansible-playbook kthw-playbook.yml -t download_kubernetes_worker_components -l workers
 ```
+
+
+
diff --git a/Vagrantfile b/Vagrantfile
index fa12148..a0ca238 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -37,6 +37,11 @@ Vagrant.configure("2") do |config|
       end
     end
 
+    inventory.puts "[etcd_peers]"
+    hosts[:masters].each do |node_name|
+        inventory.puts node_name
+      end
+  
     inventory.puts "[k8s_nodes]"
     all_hosts.each do |node_name|
       inventory.puts node_name
diff --git a/kthw-playbook.yml b/kthw-playbook.yml
index 0cab40b..b0dddc3 100644
--- a/kthw-playbook.yml
+++ b/kthw-playbook.yml
@@ -6,42 +6,49 @@
     when: "'localhost' in group_names"
     tags:
     - check_local_prerequisites
+  
+  - name: Root CA
+    import_tasks: ./root_ca.yml
+    when: "'localhost' in group_names"
+    tags:
+    - generate_the_root_ca    
 
-    
-  - name: Install a container runtime
+
+  - name: Download etcd
+    become: yes
+    script: ./scripts/download_etcd {{ etcd3_version }}
+    args:
+      creates: /tmp/.download_etcd
+    when: "'etcd_peers' in group_names"
+    tags:
+    - download_etcd
+
+
+  - name: Install a CRI-compatible container runtime
     import_tasks: ./install_container_runtime.yml
     when: "'k8s_nodes' in group_names"
     tags:
     - install_container_runtime
-  
 
-  - name: Install kubernetes master components 
+
+  - name: Download kubernetes control plane components
     become: yes
-    script: ./scripts/install_kubernetes_master_components {{ kubernetes_version }}
+    script: ./scripts/download_kubernetes_control_plane {{ kubernetes_version }}
     args:
-      creates: /tmp/.install_kubernetes_master_components
+      creates: /tmp/.download_kubernetes_control_plane
     when: "'masters' in group_names"
     tags:
-    - install_kubernetes_components
-    - install_kubernetes_master_components
+    - download_kubernetes
+    - download_kubernetes_control_plane
  
  
-  - name: Install kubernetes worker components
+  - name: Download kubernetes worker components
     become: yes
-    script: ./scripts/install_kubernetes_worker_components {{ kubernetes_version }}
+    script: ./scripts/download_kubernetes_worker_components {{ kubernetes_version }}
     args:
-      creates: /tmp/.install_kubernetes_worker_components
+      creates: /tmp/.download_kubernetes_worker_components
     when: "'workers' in group_names"
     tags:
-    - install_kubernetes_components
-    - install_kubernetes_worker_components
-    
- 
-  - name: Install etcd
-    become: yes
-    script: ./scripts/install_etcd {{ etcd3_version }}
-    args:
-      creates: /tmp/.install_etcd
-    when: "'masters' in group_names"
-    tags:
-    - install_etcd
+    - download_kubernetes
+    - download_kubernetes_worker_components
+
diff --git a/root_ca.yml b/root_ca.yml
new file mode 100644
index 0000000..3244d21
--- /dev/null
+++ b/root_ca.yml
@@ -0,0 +1,46 @@
+---
+- name: Root CA | create the work directory
+  file:
+    path: "{{ playbook_dir }}/pki/root-ca"
+    state: directory
+    recurse: yes
+
+- name: Root CA | build the CSR (Certificate Signing Request) for the root CA
+  copy:
+    dest: "{{ playbook_dir }}/pki/root-ca/root-ca-csr.json"
+    content: |
+      {
+        "CN": "Kubernetes",
+        "key": {
+          "algo": "rsa",
+          "size": 2048
+        },
+        "names": [
+          {
+            "C": "US",
+            "L": "Portland",
+            "O": "Kubernetes",
+            "OU": "CA",
+            "ST": "Oregon"
+          }
+        ]
+      }
+    mode: 0600
+
+- name: Root CA | generate
+  shell: |
+    pushd {{ playbook_dir }}/pki/root-ca ;
+    cfssl gencert -initca root-ca-csr.json | cfssljson -bare ca ;
+    popd ;
+  args:
+    executable: bash
+    creates: "{{ playbook_dir }}/pki/root-ca/ca-key.pem"
+
+  
+- name: Root CA | cleanup
+  file: 
+    path: "{{ playbook_dir }}/pki/root-ca/{{ item }}"
+    state: absent
+  with_items:
+  - root-ca-csr.json
+  - ca.csr
\ No newline at end of file
diff --git a/scripts/install_etcd b/scripts/download_etcd
similarity index 94%
rename from scripts/install_etcd
rename to scripts/download_etcd
index 5e261e2..493e47d 100755
--- a/scripts/install_etcd
+++ b/scripts/download_etcd
@@ -11,6 +11,6 @@ mv etcd-$ETCD3_RELEASE_VERSION-linux-amd64/etcdctl /usr/bin/
 
 rm -rf etcd*
 
-touch .install_etcd
+touch .download_etcd
 
 popd &> /dev/null
diff --git a/scripts/install_kubernetes_master_components b/scripts/download_kubernetes_control_plane
similarity index 91%
rename from scripts/install_kubernetes_master_components
rename to scripts/download_kubernetes_control_plane
index 244923b..773c08b 100755
--- a/scripts/install_kubernetes_master_components
+++ b/scripts/download_kubernetes_control_plane
@@ -18,7 +18,7 @@ cp hyperkube /usr/bin/cloud-controller-manager
 cp hyperkube /usr/bin/apiserver
 rm hyperkube
 
-touch .install_kubernetes_master_components
+touch .download_kubernetes_control_plane
 
 popd
 
diff --git a/scripts/install_kubernetes_worker_components b/scripts/download_kubernetes_worker_components
similarity index 88%
rename from scripts/install_kubernetes_worker_components
rename to scripts/download_kubernetes_worker_components
index e2b5df9..c481f9c 100755
--- a/scripts/install_kubernetes_worker_components
+++ b/scripts/download_kubernetes_worker_components
@@ -13,6 +13,6 @@ cp hyperkube /usr/bin/proxy
 cp hyperkube /usr/bin/kubectl
 rm hyperkube
 
-touch .install_kubernetes_worker_components
+touch .download_kubernetes_worker_components
 
 popd