diff --git a/manifests/named_vhost.pp b/manifests/named_vhost.pp
index d660788f1db71a6d4f23bb3518f43c9195983588..fce812fcc62858931d7a5aa11d748b9f7af6320f 100644
--- a/manifests/named_vhost.pp
+++ b/manifests/named_vhost.pp
@@ -1,4 +1,4 @@
-# Copyright (C) 2014 Thomas Bellman.
+# Copyright (C) 2014-2020 Thomas Bellman.
 # Licensed under the GNU LGPL v3+; see the README file for more information.
 
 
@@ -22,6 +22,14 @@ import "nsc-puppet-utils"
  *    into 'ServerName' and 'ServerAlias' directives.  Defaults to the
  *    hostnames (before resolving) in the 'urls' parameter if not specified.
  *
+ *  - certname
+ *    If set, specifies the basename of server certificate files, for
+ *    certificate, key, and chain.  This is the same name as used in the
+ *    x509certs::hostcert::separate definition in the NSC x509certs module.
+ *    Httpd configuration to enable TLS and use those certificate files
+ *    will be inserted in the virtual host configuration, but users needs
+ *    to install the files themselves, using x509certs::hostcert::separate.
+ *
  *  - documentroot
  *    The document root for the virtual host.  Optional (Apache will by
  *    default inherit this setting from the server-global setting).
@@ -41,8 +49,11 @@ import "nsc-puppet-utils"
 # but we do not want to guess the protocol, or imply a preference of
 # e.g. http over https.
 
-define apache::named_vhost($urls, $servernames=[],
-			   $documentroot='', $config=undef,
+define apache::named_vhost($urls,
+			   $servernames=[],
+			   $certname=false,
+			   $documentroot='',
+			   $config=undef,
 			   $ensure='present')
 {
     include apache
diff --git a/templates/named_vhost.conf.erb b/templates/named_vhost.conf.erb
index 9e72c4784ec12637c5fdb7cb9f0728a543f6aab0..9382aab35b7a2f9931812e4a8a203bb2729ddc0e 100644
--- a/templates/named_vhost.conf.erb
+++ b/templates/named_vhost.conf.erb
@@ -1,4 +1,7 @@
 <%
+    # Copyright (C) 2014-2020 Thomas Bellman.
+    # Licensed under the GNU LGPL v3+; see the README file for more information.
+
     httpd_version = scope.lookupvar('apache::standard_version')
 
     server_names = []
@@ -72,6 +75,16 @@ NameVirtualHost <%= addr %>
 <% server_names[1..-1].each do |aliasname| -%>
     ServerAlias <%= aliasname %>
 <% end -%>
+<% if @certname && @certname != ''
+    certdir = scope.lookupvar('x509certs::pki_certdir')
+    keydir  = scope.lookupvar('x509certs::pki_keydir')
+-%>
+    SSLEngine on
+    SSLCertificateFile <%= certdir %>/<%= @certname %>-cert.pem
+    SSLCertificateKeyFile <%= keydir %>/<%= @certname %>-key.pem
+    SSLCertificateChainFile <%= certdir %>/<%= @certname %>-chain.pem
+
+<% end -%>
 <% if @documentroot && @documentroot != '' -%>
     DocumentRoot  <%= @documentroot %>
 <% end -%>