diff --git a/manifests/mod_ssl.pp b/manifests/mod_ssl.pp
new file mode 100644
index 0000000000000000000000000000000000000000..a04fa68fa8d8c66923c91bdb0c4f8dc7405b5ffd
--- /dev/null
+++ b/manifests/mod_ssl.pp
@@ -0,0 +1,52 @@
+import "apache"
+
+
+/*
+ * Install the Apache mod_ssl module.
+ * Note that unlike the ssl.conf that comes with the normal mod_ssl
+ * package, we do not add a 'Listen 443' directive.
+ */
+class apache::mod_ssl
+{
+    include apache
+
+    $default_options = {
+	'SSLSessionCache'	 => 'shmcb:/var/cache/mod_ssl/scache(512000)',
+	'SSLSessionCacheTimeout' => '300',
+	'SSLMutex'		 => 'default',
+	'SSLRandomSeed startup'	 => 'file:/dev/urandom 256',
+	'SSLRandomSeed connect'	 => 'builtin',
+	'SSLCryptoDevice'	 => 'builtin',
+    }
+    package {
+	'mod_ssl':
+	    ensure => installed,
+	    # We want conf.d to be cleaned up from whatever mod_ssl puts there
+	    before => File[$apache::configdir];
+    }
+    apache::module::globalconfig {
+	'ssl':
+	    loadmodule => 'ssl_module modules/mod_ssl.so',
+	    directives => [],
+	    defaultoptions => $default_options,
+	    options => { },
+	    require => Package['mod_ssl'];
+    }
+}
+
+
+class apache::mod_ssl::absent
+      inherits apache::mod_ssl
+{
+    # Remove the configuration referencing the module before the actual
+    # module, in case the machine reboots in the middle.
+    Package['mod_ssl'] {
+	ensure => absent,
+	before => [],
+    }
+    Apache::Module::Globalconfig['ssl'] {
+	ensure => absent,
+	require => [],
+	before => Package['mod_ssl'],
+    }
+}