diff --git a/handlers/main.yml b/handlers/main.yml
index c35ea85..454ec3c 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -3,4 +3,5 @@
 - name: "Update the trust store"
   ansible.builtin.command: update-ca-certificates
   changed_when: false
+  become: true
   listen: "update-ca-certificates"
diff --git a/molecule/default_vagrant/converge.yml b/molecule/default_vagrant/converge.yml
new file mode 100644
index 0000000..a49f5c4
--- /dev/null
+++ b/molecule/default_vagrant/converge.yml
@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include ednxzu.import_vault_root_ca"
+      ansible.builtin.include_role:
+        name: "ednxzu.import_vault_root_ca"
diff --git a/molecule/default_vagrant/molecule.yml b/molecule/default_vagrant/molecule.yml
new file mode 100644
index 0000000..2b02360
--- /dev/null
+++ b/molecule/default_vagrant/molecule.yml
@@ -0,0 +1,35 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: ./requirements.yml
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+platforms:
+  - name: instance
+    box: generic/${MOLECULE_TEST_OS}
+    cpus: 4
+    memory: 4096
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      remote_tmp: /tmp/.ansible
+verifier:
+  name: ansible
+scenario:
+  name: default_vagrant
+  test_sequence:
+    - dependency
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - verify
+    - cleanup
+    - destroy
diff --git a/molecule/default_vagrant/requirements.yml b/molecule/default_vagrant/requirements.yml
new file mode 100644
index 0000000..ca250b7
--- /dev/null
+++ b/molecule/default_vagrant/requirements.yml
@@ -0,0 +1,4 @@
+---
+# requirements file for molecule
+roles:
+  - name: ednxzu.manage_apt_packages
diff --git a/molecule/default_vagrant/verify.yml b/molecule/default_vagrant/verify.yml
new file mode 100644
index 0000000..cca82cb
--- /dev/null
+++ b/molecule/default_vagrant/verify.yml
@@ -0,0 +1,27 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: "Test: directory /usr/local/share/ca-certificates"
+      block:
+        - name: "Stat directory /usr/local/share/ca-certificates"
+          ansible.builtin.stat:
+            path: "/usr/local/share/ca-certificates"
+          register: usr_local_share_ca_certificates
+
+        - name: "Find files in directory /usr/local/share/ca-certificates"
+          ansible.builtin.find:
+            paths: "/usr/local/share/ca-certificates"
+            file_type: file
+          register: usr_local_share_ca_certificates_ls
+
+        - name: "Verify directory /usr/local/share/ca-certificates"
+          ansible.builtin.assert:
+            that:
+              - usr_local_share_ca_certificates.stat.exists
+              - usr_local_share_ca_certificates.stat.isdir
+              - usr_local_share_ca_certificates.stat.pw_name == 'root'
+              - usr_local_share_ca_certificates.stat.gr_name == 'root'
+              - usr_local_share_ca_certificates.stat.mode == '0755'
+              - (usr_local_share_ca_certificates_ls.files|length) == 0
diff --git a/molecule/with_custom_ca_vagrant/converge.yml b/molecule/with_custom_ca_vagrant/converge.yml
new file mode 100644
index 0000000..a49f5c4
--- /dev/null
+++ b/molecule/with_custom_ca_vagrant/converge.yml
@@ -0,0 +1,7 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+    - name: "Include ednxzu.import_vault_root_ca"
+      ansible.builtin.include_role:
+        name: "ednxzu.import_vault_root_ca"
diff --git a/molecule/with_custom_ca_vagrant/group_vars/all.yml b/molecule/with_custom_ca_vagrant/group_vars/all.yml
new file mode 100644
index 0000000..805668d
--- /dev/null
+++ b/molecule/with_custom_ca_vagrant/group_vars/all.yml
@@ -0,0 +1,5 @@
+---
+import_vault_root_ca_certificate_force_download: false
+import_vault_root_ca_certificate_list:
+  - url: "https://letsencrypt.org/certs/isrg-root-x2.pem"
+    cert_name: "isrg_root"
diff --git a/molecule/with_custom_ca_vagrant/molecule.yml b/molecule/with_custom_ca_vagrant/molecule.yml
new file mode 100644
index 0000000..263943e
--- /dev/null
+++ b/molecule/with_custom_ca_vagrant/molecule.yml
@@ -0,0 +1,35 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: ./requirements.yml
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+platforms:
+  - name: instance
+    box: generic/${MOLECULE_TEST_OS}
+    cpus: 4
+    memory: 4096
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      remote_tmp: /tmp/.ansible
+verifier:
+  name: ansible
+scenario:
+  name: with_custom_ca_vagrant
+  test_sequence:
+    - dependency
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - verify
+    - cleanup
+    - destroy
diff --git a/molecule/with_custom_ca_vagrant/requirements.yml b/molecule/with_custom_ca_vagrant/requirements.yml
new file mode 100644
index 0000000..ca250b7
--- /dev/null
+++ b/molecule/with_custom_ca_vagrant/requirements.yml
@@ -0,0 +1,4 @@
+---
+# requirements file for molecule
+roles:
+  - name: ednxzu.manage_apt_packages
diff --git a/molecule/with_custom_ca_vagrant/verify.yml b/molecule/with_custom_ca_vagrant/verify.yml
new file mode 100644
index 0000000..e4c276f
--- /dev/null
+++ b/molecule/with_custom_ca_vagrant/verify.yml
@@ -0,0 +1,52 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: true
+  tasks:
+    - name: "Test: directory /usr/local/share/ca-certificates"
+      block:
+        - name: "Stat directory /usr/local/share/ca-certificates"
+          ansible.builtin.stat:
+            path: "/usr/local/share/ca-certificates"
+          register: usr_local_share_ca_certificates
+
+        - name: "Find files in directory /usr/local/share/ca-certificates"
+          ansible.builtin.find:
+            paths: "/usr/local/share/ca-certificates"
+            file_type: file
+          register: usr_local_share_ca_certificates_ls
+
+        - name: "Verify directory /usr/local/share/ca-certificates"
+          ansible.builtin.assert:
+            that:
+              - usr_local_share_ca_certificates.stat.exists
+              - usr_local_share_ca_certificates.stat.isdir
+              - usr_local_share_ca_certificates.stat.pw_name == 'root'
+              - usr_local_share_ca_certificates.stat.gr_name == 'root'
+              - usr_local_share_ca_certificates.stat.mode == '0755'
+              - (usr_local_share_ca_certificates_ls.files|length) == 1
+              - (usr_local_share_ca_certificates_ls.files[0].path|basename) == 'isrg_root.crt'
+
+    - name: "Test: certificate isrg_root.crt"
+      block:
+        - name: "Stat file /usr/local/share/ca-certificates/isrg_root.crt"
+          ansible.builtin.stat:
+            path: "/usr/local/share/ca-certificates/isrg_root.crt"
+          register: isrg_root_file
+
+        - name: "Get certificate info"
+          community.crypto.x509_certificate_info:
+            path: "/usr/local/share/ca-certificates/isrg_root.crt"
+          register: isrg_root_pem
+
+        - name: "Verify certificate is readable"
+          ansible.builtin.assert:
+            that:
+              - isrg_root_file.stat.exists
+              - isrg_root_file.stat.isreg
+              - isrg_root_file.stat.pw_name == 'root'
+              - isrg_root_file.stat.gr_name == 'root'
+              - isrg_root_file.stat.mode == '0644'
+              - not isrg_root_pem.failed
+              - not isrg_root_pem.expired
+              - isrg_root_pem.issuer == isrg_root_pem.subject
diff --git a/tasks/import.yml b/tasks/import.yml
index 2e4269f..22dcdca 100644
--- a/tasks/import.yml
+++ b/tasks/import.yml
@@ -23,7 +23,6 @@
     cmd: openssl x509 -inform {{ 'PEM' if item.rc == 0 else 'DER' }} -in {{ item.item.dest }} -out {{ import_vault_root_ca_cert_dir }}/{{ item.item.item.cert_name }}.crt -outform pem
     creates: "{{ import_vault_root_ca_cert_dir }}/{{ item.item.item.cert_name }}.crt"
   loop: "{{ cert_format_results.results }}"
+  become: true
   notify:
     - update-ca-certificates
-  # loop_control:
-  #   loop_var: item