diff --git a/orientdb/defaults/main.yml b/orientdb/defaults/main.yml
index 70ff4ff9..15a58439 100644
--- a/orientdb/defaults/main.yml
+++ b/orientdb/defaults/main.yml
@@ -20,7 +20,9 @@ orientdb_configuration_files:
   - hazelcast.xml
   - automatic-backup.json
 
-orientdb_letsencrypt_ssl_enabled: False
+orientdb_ssl_enabled: False
+orientdb_letsencrypt_ssl_enabled: False  
+orientdb_ssl_client_auth_enabled: False
 
 orientdb_hooks_classes:
   - { name: 'org.gcube.informationsystem.orientdb.hooks.HeaderHook', position: 'REGULAR' }
@@ -34,6 +36,8 @@ orientdb_hooks_classes:
 
 orientdb_binary_protocol_lower_port: 2424
 orientdb_binary_protocol_higher_port: 2430
+orientdb_ssl_protocol_lower_port: 2434
+orientdb_ssl_protocol_higher_port: 2440
 orientdb_http_protocol_lower_port: 2480
 orientdb_http_protocol_higher_port: 2490
 
diff --git a/orientdb/tasks/main.yml b/orientdb/tasks/main.yml
index 8dc39eca..40353c94 100644
--- a/orientdb/tasks/main.yml
+++ b/orientdb/tasks/main.yml
@@ -66,6 +66,18 @@
   tags: orientdb
   when: orientdb_install
 
+- block:
+    - name: Create the acme hooks directory if it does not yet exist
+      file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root
+
+    - name: Install a letsencrypt hook to update the orientdb certificate
+      template: src=orientdb-letsencrypt-acme.sh.j2 dest={{ letsencrypt_acme_services_scripts_dir }}/orientdb owner=root group=root mode=4555
+
+  tags: [ 'orientdb', 'letsencrypt' ]
+  when:
+    - orientdb_install
+    - orientdb_letsencrypt_ssl_enabled
+
 
 - block:
     - name: Ensure that the service is disabled and stopped
diff --git a/orientdb/templates/orientdb-letsencrypt-acme.sh.j2 b/orientdb/templates/orientdb-letsencrypt-acme.sh.j2
new file mode 100644
index 00000000..c491ca12
--- /dev/null
+++ b/orientdb/templates/orientdb-letsencrypt-acme.sh.j2
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+RETVAL=
+
+# Add the CA certificate if it's not already present
+keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ java_keyring_letsencrypt_trusted_ca }}
+RETVAL=$?
+
+if [ $RETVAL -ne 0 ] ; then
+    keytool -trustcacerts -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt -importcert -alias {{ java_keyring_letsencrypt_trusted_ca }} -dname "CN={{ ansible_fqdn }}" -file {{ letsencrypt_acme_certs_dir }}/chain
+fi
+# Remove the old certificate
+keytool -storepass {{ java_keyring_pwd }} -keystore {{ java_keyring_file }} -delete -alias {{ ansible_fqdn }}
+
+# Check if the old certificate is still present. If so, we have a problem. Otherwise, import the new one
+keytool -list -keystore {{ java_keyring_file }} -storepass {{ java_keyring_pwd }} -noprompt | grep {{ ansible_fqdn }}
+RETVAL=$?
+if [ $RETVAL -ne 0 ] ; then
+    openssl pkcs12 -export -in {{ letsencrypt_acme_certs_dir }}/cert -inkey {{ letsencrypt_acme_certs_dir }}/privkey -CAfile {{ letsencrypt_acme_certs_dir }}/chain -name "{{ ansible_fqdn }}" -out /var/tmp/{{ ansible_fqdn }}.p12 -password pass:{{ java_keyring_pwd }}
+    keytool -importkeystore -srcstorepass {{ java_keyring_pwd }} -deststorepass {{ java_keyring_pwd }} -destkeystore {{ java_keyring_file }} -srckeystore /var/tmp/{{ ansible_fqdn }}.p12 -srcstoretype PKCS12
+    rm -f /var/tmp/{{ ansible_fqdn }}.p12
+else
+    logger "orientdb letsencrypt hook: the old certificate is still present inside the keystore, aborting."
+    exit 1
+fi
+
+chmod 440 {{ java_keyring_file }}
+chgrp {{ orientdb_user }} {{ java_keyring_file }}
+/etc/init.d/orientdb stop
+/etc/init.d/orientdb start
+logger "orientdb letsencrypt hook: the keystore has been updated with the renewed certificate."
+
+exit 0
diff --git a/orientdb/templates/orientdb-server-config.xml.j2 b/orientdb/templates/orientdb-server-config.xml.j2
index 7c70423e..101662ff 100644
--- a/orientdb/templates/orientdb-server-config.xml.j2
+++ b/orientdb/templates/orientdb-server-config.xml.j2
@@ -38,20 +38,28 @@
         <sockets>
             <socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="ssl">
                 <parameters>
+{% if orientdb_ssl_client_auth_enabled %}
+                    <parameter value="true" name="network.ssl.clientAuth"/>
+{% else %}
                     <parameter value="false" name="network.ssl.clientAuth"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/>
-                    <parameter value="password" name="network.ssl.keyStorePassword"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.trustStore"/>
-                    <parameter value="password" name="network.ssl.trustStorePassword"/>
+{% endif %}
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.keyStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.keyStorePassword"/>
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.trustStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.trustStorePassword"/>
                 </parameters>
             </socket>
             <socket implementation="com.orientechnologies.orient.server.network.OServerTLSSocketFactory" name="https">
                 <parameters>
+{% if orientdb_ssl_client_auth_enabled %}
+                    <parameter value="true" name="network.ssl.clientAuth"/>
+{% else %}
                     <parameter value="false" name="network.ssl.clientAuth"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/>
-                    <parameter value="password" name="network.ssl.keyStorePassword"/>
-                    <parameter value="config/cert/orientdb.ks" name="network.ssl.trustStore"/>
-                    <parameter value="password" name="network.ssl.trustStorePassword"/>
+{% endif %}
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.keyStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.keyStorePassword"/>
+                    <parameter value="{{ java_keyring_file }}" name="network.ssl.trustStore"/>
+                    <parameter value="{{ java_keyring_pwd }}" name="network.ssl.trustStorePassword"/>
                 </parameters>
             </socket>
         </sockets>
@@ -61,6 +69,9 @@
         </protocols>
         <listeners>
             <listener protocol="binary" socket="default" port-range="{{ orientdb_binary_protocol_lower_port }}-{{ orientdb_binary_protocol_higher_port }}" ip-address="0.0.0.0"/>
+{% if orientdb_ssl_enabled %}
+            <listener protocol="binary" socket="ssl" port-range="{{ orientdb_ssl_protocol_lower_port }}-{{ orientdb_ssl_protocol_higher_port }}" ip-address="0.0.0.0"/>
+{% endif %}
             <listener protocol="http" socket="default" port-range="{{ orientdb_http_protocol_lower_port }}-{{ orientdb_http_protocol_higher_port }}" ip-address="0.0.0.0">
                 <commands>
                     <command implementation="com.orientechnologies.orient.server.network.protocol.http.command.get.OServerCommandGetStaticContent" pattern="GET|www GET|studio/ GET| GET|*.htm GET|*.html GET|*.xml GET|*.jpeg GET|*.jpg GET|*.png GET|*.gif GET|*.js GET|*.css GET|*.swf GET|*.ico GET|*.txt GET|*.otf GET|*.pjs GET|*.svg GET|*.json GET|*.woff GET|*.woff2 GET|*.ttf GET|*.svgz" stateful="false">