diff --git a/docs/role-beats.md b/docs/role-beats.md
index 2f45e14f..73722a6c 100644
--- a/docs/role-beats.md
+++ b/docs/role-beats.md
@@ -10,7 +10,6 @@ Requirements
 
 You need to have the beats you want to install available in your software repositories. We provide a [role](./role-repos.md) for just that but if you have other ways of managing software, just make sure it's available. Alternatively you can install the Beats yourself.
 
-* `cryptography` >= 2.5 
 * `community.crypto` collection: ansible-galaxy collection install community.crypto
 
 Role Variables
@@ -87,7 +86,6 @@ beats_filebeat_journald_inputs:
 * *beats_loglevel*: Level of logging (for all beats) (Default: `info`)
 * *beats_logpath*: If logging to file, where to put logfiles (Default: `/var/log/beats`)
 * *beats_fields*: Fields that are added to every input in the configuration
-* *beats_manage_unzip*: Install `unzip` via package manager (Default: `true`)
 
 The following variables only apply if you use this role together with our other Elastic Stack roles.
 
diff --git a/docs/role-elasticsearch.md b/docs/role-elasticsearch.md
index 2db6c39b..bfcdf3d1 100644
--- a/docs/role-elasticsearch.md
+++ b/docs/role-elasticsearch.md
@@ -9,11 +9,6 @@ If you use the role to set up security you, can use its CA to create certificate
 
 Please note that setting `elasticsearch_bootstrap_pw` as variable will only take effect when initialising Elasticsearch. Changes after starting elasticsearch for the first time will not change the bootstrap password for the instance and will lead to breaking tests.
 
-Requirements
-------------
-
-* `cryptography` >= 2.5
-
 Role Variables
 --------------
 
diff --git a/docs/role-kibana.md b/docs/role-kibana.md
index 28abf012..07d17653 100644
--- a/docs/role-kibana.md
+++ b/docs/role-kibana.md
@@ -5,11 +5,6 @@ Ansible Role: Kibana
 
 This roles installs and configures Kibana.
 
-Requirements
-------------
-
-* `cryptography` >= 2.5
-
 Role Variables
 --------------
 
diff --git a/docs/role-logstash.md b/docs/role-logstash.md
index 010dff1a..cf8f331e 100644
--- a/docs/role-logstash.md
+++ b/docs/role-logstash.md
@@ -19,7 +19,6 @@ Requirements
 ------------
 
 * `community.general` collection
-* `cryptography` >= 2.5
 
 You need to have the Elastic Repos configured on your system. You can use our [role](./role-repos.md)
 
diff --git a/roles/beats/defaults/main.yml b/roles/beats/defaults/main.yml
index 7f9550fc..5708617b 100644
--- a/roles/beats/defaults/main.yml
+++ b/roles/beats/defaults/main.yml
@@ -10,7 +10,6 @@ elasticstack_beats_port: 5044
 beats_logging: file
 beats_logpath: /var/log/beats
 beats_loglevel: info
-beats_manage_unzip: true
 
 # Use TLS without Elastic X-Pack #
 
diff --git a/roles/beats/tasks/beats-security.yml b/roles/beats/tasks/beats-security.yml
index 0a19489c..ef034ee3 100644
--- a/roles/beats/tasks/beats-security.yml
+++ b/roles/beats/tasks/beats-security.yml
@@ -1,11 +1,15 @@
 ---
 
-- name: Install unzip for certificate handling
+- name: Install packages for security tasks
   ansible.builtin.package:
-    name: unzip
-  when: beats_manage_unzip | bool
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
   tags:
+    - certificates
     - renew_ca
+    - renew_kibana_cert
     - renew_beats_cert
 
 - name: Ensure beats certificate exists
diff --git a/roles/elasticsearch/tasks/elasticsearch-security.yml b/roles/elasticsearch/tasks/elasticsearch-security.yml
index 65483fc3..7b3ac565 100644
--- a/roles/elasticsearch/tasks/elasticsearch-security.yml
+++ b/roles/elasticsearch/tasks/elasticsearch-security.yml
@@ -1,5 +1,17 @@
 ---
 
+- name: Install packages for security tasks
+  ansible.builtin.package:
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
+  tags:
+    - certificates
+    - renew_ca
+    - renew_kibana_cert
+    - renew_es_cert
+
 - name: Set elasticstack_ca variable if not already done by user
   ansible.builtin.set_fact:
     elasticstack_ca: "{{ groups['elasticsearch'][0] }}"
diff --git a/roles/kibana/tasks/kibana-security.yml b/roles/kibana/tasks/kibana-security.yml
index d7058afb..4bb14fbd 100644
--- a/roles/kibana/tasks/kibana-security.yml
+++ b/roles/kibana/tasks/kibana-security.yml
@@ -1,8 +1,11 @@
 ---
 
-- name: Make sure openssl is installed
+- name: Install packages for security tasks
   ansible.builtin.package:
-    name: openssl
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
   tags:
     - certificates
     - renew_ca
diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
index f0cae832..330d6a20 100644
--- a/roles/logstash/tasks/logstash-security.yml
+++ b/roles/logstash/tasks/logstash-security.yml
@@ -1,8 +1,11 @@
 ---
 
-- name: Install unzip for certificate handling
+- name: Install packages for security tasks
   ansible.builtin.package:
-    name: unzip
+    name:
+      - unzip
+      - python3-cryptography
+      - openssl
   tags:
     - certificates
     - renew_ca
@@ -383,7 +386,7 @@
 
 - name: Create logstash password hash salt
   ansible.builtin.copy:
-    content: "{{ lookup('password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=logstash_password_hash_salt_length, seed=logstash_password_hash_salt_seed)}}"
+    content: "{{ lookup('password', '/dev/null', chars=['ascii_lowercase', 'digits'], length=logstash_password_hash_salt_length, seed=logstash_password_hash_salt_seed) }}"
     dest: /root/logstash_password_hash_salt
     owner: root
     group: root