diff --git a/playbooks/group_vars/all/hashistack_ca.yml b/playbooks/group_vars/all/hashistack_ca.yml
index 6321ac7..5dc7d11 100644
--- a/playbooks/group_vars/all/hashistack_ca.yml
+++ b/playbooks/group_vars/all/hashistack_ca.yml
@@ -1,6 +1,6 @@
 ---
 # defaults
-hashistack_ca_directory: "/etc/hashistack/certificates"
+hashistack_ca_directory: "{{ hashistack_sub_configuration_directories['certificates'] }}"
 hashistack_ca_use_cryptography: false
 hashistack_ca_action: "noop"
 hashistack_ca_domain: example.com
@@ -79,41 +79,26 @@ hashistack_ca_leaf_renew_threshold: 30d
 ############################
 hashistack_ca_consul_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_consul_common_name: "{{ inventory_hostname }}"
-hashistack_ca_consul_csr_sans: >-
-  {%- set sans_list = [
-      'DNS:' + inventory_hostname,
-      'DNS:consul.service.consul',
-      'DNS:localhost',
-      'IP:' + api_interface_address,
-      'IP:127.0.0.1'
-  ] -%}
-  {%- if consul_enable_server -%}
-    {%- set _ = sans_list.append('DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain) -%}
-  {%- endif -%}
-  {{ sans_list }}
+hashistack_ca_consul_csr_sans:
+  - "DNS:{{ inventory_hostname }}"
+  - "DNS:consul.service.consul"
+  - "DNS:localhost"
+  - "IP:{{ api_interface_address }}"
+  - "IP:127.0.0.1"
+  - "{{ 'DNS:server.' ~ consul_datacenter ~ '.' ~ consul_domain if consul_enable_server else omit }}"
 
 ###########################
 # Nomad Leaf Certificates #
 ###########################
 hashistack_ca_nomad_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_nomad_common_name: "{{ inventory_hostname }}"
-hashistack_ca_nomad_csr_sans: >-
-  {%- set sans_list = [
-      'DNS:' + inventory_hostname,
-      'DNS:localhost',
-      'IP:' + api_interface_address,
-      'IP:127.0.0.1'
-  ] -%}
-  {%- if nomad_enable_server -%}
-    {%- set _ = sans_list.append('DNS:server.' ~ nomad_region ~ '.nomad') -%}
-    {%- if  (enable_consul | bool) -%}
-      {%- set _ = sans_list.append('DNS:nomad.service.consul') -%}
-    {%- endif -%}
-  {%- endif -%}
-  {%- if nomad_enable_client -%}
-    {%- set _ = sans_list.append('DNS:client.' ~ nomad_region ~ '.nomad') -%}
-  {%- endif -%}
-  {{ sans_list }}
+hashistack_ca_nomad_csr_sans:
+  - "DNS:{{ inventory_hostname }}"
+  - "DNS:localhost"
+  - "IP:{{ api_interface_address }}"
+  - "IP:127.0.0.1"
+  - "{{ 'DNS:server.' ~ nomad_region ~ '.nomad' if nomad_enable_server else omit }}"
+  - "{{ 'DNS:nomad.service.consul' if (nomad_enable_server and enable_consul) else omit }}"
 
 ###########################
 # Vault Leaf Certificates #
@@ -122,9 +107,9 @@ hashistack_ca_vault_org_name: "{{ hashistack_ca_root_org_name }}"
 hashistack_ca_vault_common_name: "{{ inventory_hostname }}"
 hashistack_ca_vault_csr_sans:
   - "DNS:{{ inventory_hostname }}"
-  - "DNS:active.vault.service.consul"
-  - "DNS:standby.vault.service.consul"
-  - "DNS:vault.service.consul"
+  - "{{ 'DNS:active.vault.service.consul' if enable_consul else omit }}"
+  - "{{ 'DNS:standby.vault.service.consul' if enable_consul else omit }}"
+  - "{{ 'DNS:vault.service.consul' if enable_consul else omit }}"
   - "DNS:localhost"
   - "IP:{{ api_interface_address }}"
   - "IP:127.0.0.1"