diff --git a/docker_htcondor.yml b/docker_htcondor.yml
index f112d40..1e6cc49 100644
--- a/docker_htcondor.yml
+++ b/docker_htcondor.yml
@@ -60,6 +60,12 @@
       cleanup: True
       command: "condor_store_cred add -c -i /tmp/poolpw/poolpw"
 
+  - name: "remove tokens since pool password (cert) changed"
+    file:
+      path: "/container/volumes/{{item}}/tokens.d/condor@htc.local"
+      state: absent
+    with_items: [ "cm", "exec", "sub" ]
+
   always:
   - name: "remove temporary password store"
     file:
@@ -78,6 +84,26 @@
     dest: "/container/volumes/{{item}}/"
   with_items: [ "cm", "exec", "sub"]
 
+
+- name: "collect tokens to generate"
+  stat:
+    path: "/container/volumes/{{item}}/tokens.d/condor@htc.local"
+  with_items: [ "cm", "exec", "sub" ]
+  register: tokens_state
+
+- name: "generate tokens"
+  docker_container:
+    name: "condor-common"
+    image: htcondor
+    state: started
+    volumes:
+    - "/container/volumes/{{item}}/:/etc/condor/:rw"
+    detach: False
+    cleanup: True
+    command: "condor_token_create -identity condor@$(domainname) -token /etc/condor/tokens.d/condor@htc.local"
+  with_items: "{{tokens_state.results | rejectattr('stat.exists') | map(attribute='item') | list }}"
+
+
 - name: "create docker network to make service discovery work"
   docker_network:
     name: condor