diff --git a/roles/vault/tasks/shared/issue_cert.yml b/roles/vault/tasks/shared/issue_cert.yml
index 0733e86a0..786112d24 100644
--- a/roles/vault/tasks/shared/issue_cert.yml
+++ b/roles/vault/tasks/shared/issue_cert.yml
@@ -38,7 +38,9 @@
       format: "{{ issue_cert_format | d('pem') }}"
       ip_sans: "{{ issue_cert_ip_sans | default([]) | join(',') }}"
   register: issue_cert_result
-  when: inventory_hostname == issue_cert_hosts|first
+  when:
+    - inventory_hostname in play_hosts
+    - inventory_hostname == issue_cert_hosts|first
 
 - name: issue_cert | Copy the cert to all hosts
   copy:
@@ -47,6 +49,9 @@
     group: "{{ issue_cert_file_group | d('root' )}}"
     mode: "{{ issue_cert_file_mode | d('0644') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"
+  when:
+    - inventory_hostname in play_hosts
+    - inventory_hostname == issue_cert_hosts|first
 
 - name: issue_cert | Copy the key to all hosts
   copy:
@@ -55,6 +60,9 @@
     group: "{{ issue_cert_file_group | d('root' )}}"
     mode: "{{ issue_cert_file_mode | d('0640') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"
+  when:
+    - inventory_hostname in play_hosts
+    - inventory_hostname == issue_cert_hosts|first
 
 - name: issue_cert | Copy issuing CA cert
   copy:
@@ -63,4 +71,7 @@
     group: "{{ issue_cert_file_group | d('root' )}}"
     mode: "{{ issue_cert_file_mode | d('0644') }}"
     owner: "{{ issue_cert_file_owner | d('root') }}"
-  when: issue_cert_copy_ca|default(false)
+  when:
+    - inventory_hostname in play_hosts
+    - inventory_hostname == issue_cert_hosts|first
+    - issue_cert_copy_ca|default(false)