diff --git a/deployment/host_vars/localhost.yml b/deployment/host_vars/localhost.yml
index a065ca0..faae0b7 100644
--- a/deployment/host_vars/localhost.yml
+++ b/deployment/host_vars/localhost.yml
@@ -24,7 +24,7 @@ oidc_urls:
     host: hydra.cacert.localhost
     port: 4445
   hydra_public:
-    address: localhost
+    address: 127.0.0.1
     host: auth.cacert.localhost
     port: 4444
   idp:
diff --git a/deployment/roles/hydra_server/tasks/main.yml b/deployment/roles/hydra_server/tasks/main.yml
index 7043c75..967d019 100644
--- a/deployment/roles/hydra_server/tasks/main.yml
+++ b/deployment/roles/hydra_server/tasks/main.yml
@@ -71,7 +71,7 @@
       ansible.builtin.command:
         cmd: "mkcert -cert-file {{ hydra_cert_temp_dir.path }}/hydra.pem -key-file {{ hydra_cert_temp_dir.path }}/hydra.key.pem {{ oidc_urls.hydra_admin.host }} {{ oidc_urls.hydra_public.host }}"
       environment:
-        CAROOT: "{{ mkcert_caroot | default(omit) }}"
+        CAROOT: "{{ mkcert_caroot | default('') }}"
 
     - name: Move Hydra certificate and key to target
       ansible.builtin.copy:
@@ -107,3 +107,9 @@
     group: root
     mode: "0640"
   notify: hydra_systemd_reload
+
+- name: Ensure service is started
+  ansible.builtin.systemd:
+    state: started
+    name: hydra
+    enabled: true
diff --git a/deployment/roles/oidc_demo_application/tasks/main.yml b/deployment/roles/oidc_demo_application/tasks/main.yml
index ee72e82..9648785 100644
--- a/deployment/roles/oidc_demo_application/tasks/main.yml
+++ b/deployment/roles/oidc_demo_application/tasks/main.yml
@@ -73,7 +73,7 @@
       ansible.builtin.command:
         cmd: "mkcert -cert-file {{ demoapp_cert_temp_dir.path }}/demoapp.pem -key-file {{ demoapp_cert_temp_dir.path }}/demoapp.key.pem {{ oidc_urls.demoapp.host }}"
       environment:
-        CAROOT: "{{ mkcert_caroot | default(omit) }}"
+        CAROOT: "{{ mkcert_caroot | default('') }}"
 
     - name: Move demo application certificate and key to target
       ansible.builtin.copy:
@@ -163,5 +163,11 @@
     dest: /etc/systemd/system/cacert-demoapp.service
     owner: root
     group: root
-    mode: "0640"
+    mode: "0644"
   notify: demoapp_systemd_reload
+
+- name: Ensure service is started
+  ansible.builtin.systemd:
+    state: started
+    name: cacert-demoapp
+    enabled: true
diff --git a/deployment/roles/oidc_idp/tasks/main.yml b/deployment/roles/oidc_idp/tasks/main.yml
index e272c2c..2ac8d2e 100644
--- a/deployment/roles/oidc_idp/tasks/main.yml
+++ b/deployment/roles/oidc_idp/tasks/main.yml
@@ -51,7 +51,7 @@
       ansible.builtin.command:
         cmd: "mkcert -cert-file {{ idp_cert_temp_dir.path }}/idp.pem -key-file {{ idp_cert_temp_dir.path }}/idp.key.pem {{ oidc_urls.idp.host }}"
       environment:
-        CAROOT: "{{ mkcert_caroot | default(omit) }}"
+        CAROOT: "{{ mkcert_caroot | default('') }}"
 
     - name: Move IDP certificate and key to target
       ansible.builtin.copy:
@@ -120,5 +120,11 @@
     dest: /etc/systemd/system/cacert-idp.service
     owner: root
     group: root
-    mode: "0640"
+    mode: "0644"
   notify: idp_systemd_reload
+
+- name: Ensure service is started
+  ansible.builtin.systemd:
+    state: started
+    name: cacert-idp
+    enabled: true
diff --git a/deployment/roles/prepare_devtools/tasks/main.yml b/deployment/roles/prepare_devtools/tasks/main.yml
index d546510..0910e4e 100644
--- a/deployment/roles/prepare_devtools/tasks/main.yml
+++ b/deployment/roles/prepare_devtools/tasks/main.yml
@@ -19,7 +19,7 @@
       ansible.builtin.command:
         cmd: "mkcert -install"
       environment:
-        CAROOT: "{{ mkcert_caroot | default(omit) }}"
+        CAROOT: "{{ mkcert_caroot | default('') }}"
       changed_when: false
 
   become: false