diff --git a/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp b/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp
index 24b2650..c508766 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/satosa.pp
@@ -101,9 +101,6 @@ class sunet::satosa(
         allow_clients => 'any',
         port          => 80,
       }
-    } elseif ($ext_cert) and ($ext_cert_key) {
-      file { '/etc/satosa/https.key': ensure => link, target => $ext_cert_key }
-      file { '/etc/satosa/https.crt': ensure => link, target => $ext_cert }
     } else {
       sunet::misc::ufw_allow { 'allow-http':
         from => 'any',
@@ -112,6 +109,9 @@ class sunet::satosa(
     }
     file { '/etc/satosa/https.key': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}.key" }
     file { '/etc/satosa/https.crt': ensure => link, target => "/etc/dehydrated/certs/${dehydrated_name}/fullchain.pem" }
+  } elsif ($ext_cert) and ($ext_cert_key) {
+      file { '/etc/satosa/https.key': ensure => link, target => $ext_cert_key }
+      file { '/etc/satosa/https.crt': ensure => link, target => $ext_cert }
   } else {
     sunet::snippets::keygen {'satosa_https':
       key_file  => '/etc/satosa/https.key',