diff --git a/.kitchen.yml b/.kitchen.yml
index 999a42e..06907c0 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -42,7 +42,7 @@ suites:
       state_top:
         base:
           '*':
-            - vault
+            - vault.package
       pillars:
         top.sls:
           base:
@@ -52,7 +52,7 @@ suites:
           vault:
 #            version: 0.11.1    # test upgrades by doing a double-converge, changing the version pillar between each one
             version: 0.11.2
-            secure_download: false
+            verify_download: False
 
   - name: dev_server
     provisioner:
@@ -83,7 +83,7 @@ suites:
           vault:
             tls_disable: 1
             self_signed_cert:
-              enabled: true
+              enabled: True
               hostname: localhost
               password: localhost
               country: GB
diff --git a/test/integration/dev_server/vault_spec.rb b/test/integration/dev_server/vault_spec.rb
index 2a79a68..8ad9c2b 100644
--- a/test/integration/dev_server/vault_spec.rb
+++ b/test/integration/dev_server/vault_spec.rb
@@ -20,7 +20,7 @@
   it { should be_running }
 end
 
-describe file("/etc/vault/config/server.hcl") do
+describe file("/etc/vault/conf.d/config.json") do
   it { should_not be_a_file }
 end
 
diff --git a/test/integration/install_binary/vault_spec.rb b/test/integration/install_binary/vault_spec.rb
index 0c01d52..34dbb74 100644
--- a/test/integration/install_binary/vault_spec.rb
+++ b/test/integration/install_binary/vault_spec.rb
@@ -15,6 +15,6 @@
   it { should_not be_running }
 end
 
-describe file("/etc/vault/config/server.hcl") do
+describe file("/etc/vault/conf.d/config.json") do
   it { should_not be_a_file }
 end
diff --git a/test/integration/prod_server/vault_spec.rb b/test/integration/prod_server/vault_spec.rb
index 6dfebb7..15a4d5a 100644
--- a/test/integration/prod_server/vault_spec.rb
+++ b/test/integration/prod_server/vault_spec.rb
@@ -10,7 +10,7 @@
   its(:stdout) { should match(/\/vault = cap_ipc_lock\+ep$/) }
 end
 
-describe file('/etc/vault/config/server.hcl') do
+describe file('/etc/vault/conf.d/config.json') do
   it { should be_a_file }
 end
 
diff --git a/vault/config/config.sls b/vault/config/config.sls
new file mode 100644
index 0000000..7550665
--- /dev/null
+++ b/vault/config/config.sls
@@ -0,0 +1,15 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context -%}
+
+vault-config-init-file-serialize:
+  file.serialize:
+    - name: /etc/vault/conf.d/config.json
+    - encoding: utf-8
+    - formatter: json
+    - dataset: {{ vault.config | json }}
+    - user: root
+    - group: vault
+    - mode: 640
+    - makedirs: True
diff --git a/vault/config/init.sls b/vault/config/init.sls
index 364021c..60d1c47 100644
--- a/vault/config/init.sls
+++ b/vault/config/init.sls
@@ -1,17 +1,10 @@
 # -*- coding: utf-8 -*-
 # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
 
-{% from "vault/map.jinja" import vault with context -%}
+{% from "vault/map.jinja" import vault with context %}
 
-vault-config-init-file-serialize:
-  file.serialize:
-    - name: /etc/vault/conf.d/config.json
-    - encoding: utf-8
-    - formatter: json
-    - dataset: {{ vault.config | json }}
-    - user: root
-    - group: vault
-    - mode: 640
-    - makedirs: True
-    - watch_in:
-      - service: vault
+include:
+  - .config
+  {%- if vault.self_signed_cert.enabled %}
+  - .self-sign
+  {%- endif %}
diff --git a/vault/config/self-sign.sls b/vault/config/self-sign.sls
new file mode 100644
index 0000000..16d2bd5
--- /dev/null
+++ b/vault/config/self-sign.sls
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
+
+{% from "vault/map.jinja" import vault with context -%}
+
+vault-config-self-signed-pkg-installed:
+  pkg.installed:
+    - name: openssl
+
+vault-config-self-signed-cmd-script:
+  cmd.script:
+    - source: salt://vault/files/cert-gen.sh.j2
+    - template: jinja
+    - args: {{ vault.self_signed_cert.hostname }} {{ vault.self_signed_cert.password }}
+    - cwd: /etc/vault
+    - creates: /etc/vault/{{ vault.self_signed_cert.hostname }}.pem
diff --git a/vault/yaml/defaults.yaml b/vault/defaults.yaml
similarity index 98%
rename from vault/yaml/defaults.yaml
rename to vault/defaults.yaml
index 59eb5e6..1283296 100644
--- a/vault/yaml/defaults.yaml
+++ b/vault/defaults.yaml
@@ -6,6 +6,8 @@ vault:
   platform: linux_amd64
   dev_mode: False
   verify_download: True
+  self_signed_cert:
+    enabled: False
   config:
     storage:
       file:
diff --git a/vault/files/cert-gen.sh.jinja b/vault/files/cert-gen.sh.j2
similarity index 100%
rename from vault/files/cert-gen.sh.jinja
rename to vault/files/cert-gen.sh.j2
diff --git a/vault/yaml/initfamilymap.yaml b/vault/initfamilymap.yaml
similarity index 100%
rename from vault/yaml/initfamilymap.yaml
rename to vault/initfamilymap.yaml
diff --git a/vault/map.jinja b/vault/map.jinja
index 812ce2d..ca31ed2 100644
--- a/vault/map.jinja
+++ b/vault/map.jinja
@@ -1,9 +1,9 @@
 # -*- coding: utf-8 -*-
 # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
 
-{% import_yaml "vault/yaml/defaults.yaml" as defaults %}
-{% import_yaml "vault/yaml/osfamilymap.yaml" as osfamilymap %}
-{% import_yaml "vault/yaml/initfamilymap.yaml" as initfamilymap %}
+{% import_yaml "vault/defaults.yaml" as defaults %}
+{% import_yaml "vault/osfamilymap.yaml" as osfamilymap %}
+{% import_yaml "vault/initfamilymap.yaml" as initfamilymap %}
 
 {% set vault = salt['grains.filter_by'](
   defaults, merge=salt['grains.filter_by'](
diff --git a/vault/yaml/osfamilymap.yaml b/vault/osfamilymap.yaml
similarity index 100%
rename from vault/yaml/osfamilymap.yaml
rename to vault/osfamilymap.yaml
diff --git a/vault/package/init.sls b/vault/package/init.sls
index ab8f360..252c4c0 100644
--- a/vault/package/init.sls
+++ b/vault/package/init.sls
@@ -5,7 +5,7 @@
 
 include:
   - .install
-{%- if vault.verify_download %}
+  {%- if vault.verify_download %}
   - .gpg
   - .signature
-{%- endif %}
+  {%- endif %}
diff --git a/vault/service/clean.sls b/vault/service/clean.sls
index 0af4ea5..8d8a033 100644
--- a/vault/service/clean.sls
+++ b/vault/service/clean.sls
@@ -1,6 +1,8 @@
 # -*- coding: utf-8 -*-
 # vim: ft=sls syntax=yaml softtabstop=2 tabstop=2 shiftwidth=2 expandtab autoindent
 
+{% from "vault/map.jinja" import vault with context %}
+
 vault-service-clean-service-dead:
   service.dead:
     - name: vault
@@ -8,4 +10,4 @@ vault-service-clean-service-dead:
 
 vault-service-clean-file-absent:
   file.absent:
-    - name: /etc/systemd/system/vault.service
+    - name: {{ vault.service.path }}
diff --git a/vault/service/init.sls b/vault/service/init.sls
index 8654698..2cb5b44 100644
--- a/vault/service/init.sls
+++ b/vault/service/init.sls
@@ -8,8 +8,6 @@ vault-service-init-file-managed:
     - name: {{ vault.service.path }}
     - source: {{ vault.service.source }}
     - template: jinja
-    - watch_in:
-      - service: vault
 
 vault-service-init-service-running:
   service.running: