diff --git a/.github/workflows/molecule.yml b/.github/workflows/molecule.yml
index 86984c4..f2ba51b 100644
--- a/.github/workflows/molecule.yml
+++ b/.github/workflows/molecule.yml
@@ -14,8 +14,14 @@ jobs:
 
     strategy:
       matrix:
-        distro: [rockylinux8, rockylinux9, ubuntu2204]
-        scenario: [default, renew, ca-renew]
+        distro: 
+          - rockylinux8
+          - rockylinux9
+          - ubuntu2204
+        scenario: 
+          - default
+          - renew
+          - ca-renew
     steps:
       - name: Check out code
         uses: actions/checkout@v4
@@ -37,3 +43,44 @@ jobs:
           PY_COLORS: '1'
           ANSIBLE_FORCE_COLOR: '1'
           MOLECULE_DISTRO: ${{ matrix.distro }}
+
+  logstash:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        distro: 
+          - rockylinux8
+          - rockylinux9
+          - ubuntu2204
+        scenario: 
+          - logstash
+        release: 
+          - 7
+          - 8
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Set up Python 3.9
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.9
+
+      - name: Install dependencies
+        run: |
+          python3 -m pip install --upgrade pip
+          python3 -m pip install -r requirements-test.txt
+          # workaround for broken galaxy information in the collection
+          ansible-galaxy collection install git+https://github.com/NETWAYS/ansible-collection-elasticstack.git
+          #mkdir -p ~/.ansible/collections/ansible-collections/netways
+          #git clone https://github.com/NETWAYS/ansible-collection-elasticstack.git ~/.ansible/collections/ansible-collections/netways/elasticstack
+
+      - name: ${{ matrix.scenario }} molecule test
+        run: |
+          molecule test -s ${{ matrix.scenario }}
+        env:
+          PY_COLORS: '1'
+          ANSIBLE_FORCE_COLOR: '1'
+          MOLECULE_DISTRO: ${{ matrix.distro }}
+          ELASTIC_RELEASE: ${{ matrix.release }}
diff --git a/molecule/logstash/converge.yml b/molecule/logstash/converge.yml
new file mode 100644
index 0000000..a9b256d
--- /dev/null
+++ b/molecule/logstash/converge.yml
@@ -0,0 +1,32 @@
+---
+# The workaround for arbitrarily named role directory is important because the
+# git repo has one name and the role within it another
+# Found at:
+# https://github.com/ansible-community/molecule/issues/1567#issuecomment-436876722
+- name: Converge
+  hosts: all
+  collections:
+    - netways.elasticstack
+  vars:
+    ca_ca_host: ca_default
+    ca_logstash: true
+    ca_openssl_cipher: auto
+    ca_ca_dir: /opt/logstash-ca
+    ca_keypassphrase: "moleculetest"
+    logstash_certs_dir: /opt/logstash-ca
+    logstash_beats_tls: true
+    elasticstack_release: "{{ lookup('env', 'ELASTIC_RELEASE') | int}}"
+    elasticstack_no_log: false
+    elasticstack_full_stack: false
+  tasks:
+    - name: "Include CA role"
+      include_role:
+        name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
+    - name: "Include Elastic repos role"
+      include_role:
+        name: repos
+
+    - name: "Include Logstash role"
+      include_role:
+        name: logstash
diff --git a/molecule/logstash/molecule.yml b/molecule/logstash/molecule.yml
new file mode 100644
index 0000000..12c8e3a
--- /dev/null
+++ b/molecule/logstash/molecule.yml
@@ -0,0 +1,32 @@
+---
+dependency:
+  name: galaxy
+driver:
+  name: docker
+platforms:
+  - name: ca_default
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    privileged: true
+    pre_build_image: true
+    cgroupns_mode: host
+  - name: ca_default_client
+    image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
+    command: ${MOLECULE_DOCKER_COMMAND:-""}
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    privileged: true
+    pre_build_image: true
+    groups:
+      - molecule
+    cgroupns_mode: host
+provisioner:
+  name: ansible
+verifier:
+  name: ansible
+lint: |
+  set -e
+  yamllint .
+  ansible-lint .
diff --git a/molecule/logstash/prepare.yml b/molecule/logstash/prepare.yml
new file mode 100644
index 0000000..0e2fd87
--- /dev/null
+++ b/molecule/logstash/prepare.yml
@@ -0,0 +1,30 @@
+---
+- name: Prepare
+  hosts: all
+  tasks:
+
+    - name: Install Python libraries
+      pip:
+        name: cryptography>= 1.2.3
+
+    - name: Install packages for RHEL
+      package:
+        name:
+          - iproute
+          - NetworkManager
+      when: ansible_os_family == "RedHat"
+
+    - name: Start NetworkManager
+      service:
+        name: NetworkManager
+        state: started
+        enabled: yes
+      when: ansible_os_family == "RedHat"
+
+    - name: Install common packages
+      package:
+        name:
+          - gpg
+          - gpg-agent
+        update_cache: yes
+      when: ansible_os_family == "Debian"
diff --git a/molecule/logstash/requirements.yml b/molecule/logstash/requirements.yml
new file mode 100644
index 0000000..887c57b
--- /dev/null
+++ b/molecule/logstash/requirements.yml
@@ -0,0 +1,8 @@
+---
+roles:
+collections:
+  - community.crypto
+    #- name: netways.elasticstack
+    #  source: https://github.com/NETWAYS/ansible-collection-elasticstack.git
+    #  scm: git
+    #  version: main
diff --git a/molecule/logstash/verify.yml b/molecule/logstash/verify.yml
new file mode 100644
index 0000000..d0476b4
--- /dev/null
+++ b/molecule/logstash/verify.yml
@@ -0,0 +1,48 @@
+---
+
+- name: Verify
+  hosts: all
+  vars:
+    ca_ca_dir: /opt/ca
+    ca_client_ca_dir: /opt/ca
+  tasks:
+
+    - name: Verify signature on certificate
+      command: >
+        openssl verify
+        -verbose
+        -CAfile {{ ca_ca_dir }}/ca.crt
+        {{ ca_client_ca_dir }}/{{ inventory_hostname }}.crt
+
+    - name: Verify signature on server certificate
+      command: >
+        openssl verify
+        -verbose
+        -CAfile {{ ca_ca_dir }}/ca.crt
+        {{ ca_client_ca_dir }}/{{ inventory_hostname }}-server.crt
+
+    - name: Check if instance key is present
+      stat:
+        path: "{{ ca_client_ca_dir }}/{{ inventory_hostname }}.key"
+      register: instance_key_stat
+
+    - name: Fail if instance key is missing
+      fail:
+        msg: "Instance key is missing"
+      when:
+        - not instance_key_stat.stat.exists | bool
+
+    - name: Check if Logstash key is present
+      stat:
+        path: "{{ ca_client_ca_dir }}/{{ inventory_hostname }}-pkcs8.key"
+      register: logstash_key_stat
+
+    - name: Fail if Logstash key is missing
+      fail:
+        msg: "Logstash key is missing"
+      when:
+        - not logstash_key_stat.stat.exists | bool
+
+    - name: Check for running Logstash
+      wait_for:
+        port: 5044
diff --git a/tasks/main.yml b/tasks/main.yml
index 5a22d26..f4bba72 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -262,6 +262,7 @@
       community.crypto.openssl_csr:
         path: "{{ ca_client_ca_dir }}/{{ inventory_hostname }}-etcd.csr"
         privatekey_path: "{{ ca_client_ca_dir }}/{{ inventory_hostname }}.key"
+        privatekey_passphrase: "{{ ca_keypassphrase | default(omit, true) }}"
         country_name: "{{ ca_country }}"
         organization_name: "{{ ca_organization }}"
         common_name: "{{ inventory_hostname }}"
@@ -329,6 +330,7 @@
       community.crypto.openssl_csr:
         path: "{{ ca_client_ca_dir }}/{{ inventory_hostname }}-etcd-server.csr"
         privatekey_path: "{{ ca_client_ca_dir }}/{{ inventory_hostname }}.key"
+        privatekey_passphrase: "{{ ca_keypassphrase | default(omit, true) }}"
         country_name: "{{ ca_country }}"
         organization_name: "{{ ca_organization }}"
         common_name: "{{ inventory_hostname }}"