diff --git a/group_vars/all.example b/group_vars/all.example
index 8b889e6..6f86879 100644
--- a/group_vars/all.example
+++ b/group_vars/all.example
@@ -78,3 +78,7 @@ unified_agent_home: /opt/ydb/unified_agent
 ydb_congestion_setting: htcp
 # Optional module to load the congestion control algorithm
 ydb_congestion_module: tcp_htcp
+
+# Should only be defined when YDB cluster extension is performed.
+# Must not be defined during the initial cluster setup.
+# ydb_cluster_extension: true
diff --git a/roles/ydbd/tasks/main.yml b/roles/ydbd/tasks/main.yml
index a249b70..5e1c869 100644
--- a/roles/ydbd/tasks/main.yml
+++ b/roles/ydbd/tasks/main.yml
@@ -46,12 +46,20 @@
     state: present
 
 - name: Copy the thp-config.sh script
-  copy: src=thp-config.sh dest=/usr/local/bin/ydbd-thp-config.sh
+  copy:
+    src: thp-config.sh
+    dest: /usr/local/bin/ydbd-thp-config.sh
+    owner: root
+    group: bin
+    mode: '0755'
 
 - name: Generate the THP service files
   template:
     src: thp-service.j2
     dest: "/etc/systemd/system/ydb-hugepages.service"
+    owner: root
+    group: root
+    mode: '0644'
 
 - name: Refresh systemd services configuration
   ansible.builtin.systemd:
@@ -74,6 +82,9 @@
       template:
         src: network-modules.j2
         dest: /etc/modules-load.d/50-ydbd.conf
+        owner: root
+        group: root
+        mode: '0644'
     - name: Load the {{ ydb_congestion_module }} module
       command: "/sbin/modprobe {{ ydb_congestion_module }}"
   when: ydb_congestion_module is defined
@@ -82,10 +93,16 @@
   template:
     src: kernel-settings.j2
     dest: /etc/sysctl.d/50-ydbd.conf
+    owner: root
+    group: root
+    mode: '0644'
 
 - name: Refresh the current sysctl settings
   command: "/sbin/sysctl --system"
 
+- name: Create the YDB base directory
+  file: state=directory path={{ ydb_dir }} group=bin owner=root mode='0755'
+
 - name: Create the ydb group
   group: name=ydb system=true
 
@@ -101,19 +118,19 @@
     owner: ydb
 
 - name: Create the YDB release directory
-  file: state=directory path={{ ydb_dir }}/release group=bin owner=root mode='755'
+  file: state=directory path={{ ydb_dir }}/release group=bin owner=root mode='0755'
 
 - name: Create the YDB configuration directory
-  file: state=directory path={{ ydb_dir }}/cfg group=bin owner=root mode='755'
+  file: state=directory path={{ ydb_dir }}/cfg group=bin owner=root mode='0755'
 
 - name: Create the YDB audit base directory
-  file: state=directory path={{ ydb_dir }}/audit group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/audit group=ydb owner=ydb mode='0700'
 
 - name: Create the YDB certs directory
-  file: state=directory path={{ ydb_dir }}/certs group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/certs group=ydb owner=ydb mode='0700'
 
 - name: Create the YDB configuration backup directory
-  file: state=directory path={{ ydb_dir }}/reserve group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/reserve group=ydb owner=ydb mode='0700'
 
 - name: Create the YDB server binary directory
   file: state=directory
@@ -121,6 +138,7 @@
         recurse=true
         group=bin
         owner=root
+        mode='0755'
 
 - name: Install the YDB server binary package
   ansible.builtin.unarchive:
@@ -144,7 +162,7 @@
         force=yes
 
 - name: Create the YDB CLI default binary directory
-  file: state=directory path={{ ydb_dir }}/home/ydb/bin recurse=true group=ydb owner=ydb mode='700'
+  file: state=directory path={{ ydb_dir }}/home/ydb/bin recurse=true group=ydb owner=ydb mode='0700'
 
 - name: Disable YDB CLI version checks
-  copy: src=ydb-cli-config.json dest={{ ydb_dir }}/home/ydb/bin/config.json group=ydb owner=ydb
+  copy: src=ydb-cli-config.json dest={{ ydb_dir }}/home/ydb/bin/config.json group=ydb owner=ydb mode='0644'
diff --git a/roles/ydbd_config/tasks/main.yml b/roles/ydbd_config/tasks/main.yml
index 8c74d72..7579fa6 100644
--- a/roles/ydbd_config/tasks/main.yml
+++ b/roles/ydbd_config/tasks/main.yml
@@ -2,10 +2,10 @@
 # ydbd configuration
 
 - name: Add the configuration backup script
-  template: src=backup_config.j2 dest={{ ydb_dir }}/home/backup_config.sh mode='755'
+  template: src=backup_config.j2 dest={{ ydb_dir }}/home/backup_config.sh group=ydb owner=ydb mode='0755'
 
 - name: Add the configuration file updater script
-  template: src=update_config_file.j2 dest={{ ydb_dir }}/home/update_config_file.sh mode='755'
+  template: src=update_config_file.j2 dest={{ ydb_dir }}/home/update_config_file.sh group=ydb owner=ydb  mode='0755'
 
 # ydb_config_backup is passed via extra vars, generated as "date '+%Y-%m-%d_%H-%M-%S'"
 - name: Backup the existing configuration files
diff --git a/roles/ydbd_dynamic/tasks/main.yml b/roles/ydbd_dynamic/tasks/main.yml
index 9828a88..9e5d43e 100644
--- a/roles/ydbd_dynamic/tasks/main.yml
+++ b/roles/ydbd_dynamic/tasks/main.yml
@@ -1,17 +1,38 @@
 ---
 # ydbd dynamic node deployment
 
-- name: Create the dynamic node startup script
-  template: src=wait_dynamic.j2 dest={{ ydb_dir }}/home/wait_dynamic.sh mode='755'
+- name: Create the YDB audit base directory
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
 - name: Create the YDB audit directories for database nodes
-  file: state=directory path={{ ydb_dir }}/audit/{{ ydb_dbname }}-{{ item.instance }} group=ydb owner=ydb mode='700'
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit/{{ ydb_dbname }}-{{ item.instance }}"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   loop: "{{ ydb_dynnodes }}"
 
+- name: Create the dynamic node startup wait script
+  template:
+    src: wait_dynamic.j2
+    dest: "{{ ydb_dir }}/home/wait_dynamic.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
+
 - name: Generate the dynamic node service files
   template:
     src: dynnode-service.j2
     dest: "/etc/systemd/system/ydbd-{{ ydb_dbname }}-{{ item.instance }}.service"
+    owner: root
+    group: root
+    mode: '0644'
   loop: "{{ ydb_dynnodes }}"
 
 - name: Refresh systemd services configuration
@@ -25,7 +46,12 @@
   loop: "{{ ydb_dynnodes }}"
 
 - name: Transfer the secrets
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
 - name: Wait for the dynamic nodes availability
   command: "{{ ydb_dir }}/home/wait_dynamic.sh {{ inventory_hostname }} {{ 2136 + item.offset }} {{ ydb_dbname }}"
diff --git a/roles/ydbd_init/tasks/main.yml b/roles/ydbd_init/tasks/main.yml
index 1693569..0ac8b8a 100644
--- a/roles/ydbd_init/tasks/main.yml
+++ b/roles/ydbd_init/tasks/main.yml
@@ -1,6 +1,14 @@
 ---
 # ydbd storage initialization
 
+- name: Add the disk formatting script
+  template:
+    src: safe_format.j2
+    dest: "{{ ydb_dir }}/home/safe_format.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
+
 - name: Execute disk formatting
   command: "{{ ydb_dir }}/home/safe_format.sh {{ item['name'] }} {{ item['label'] }}"
   with_items: "{{ ydb_disks }}"
@@ -11,6 +19,20 @@
     name: ydbd-storage
   any_errors_fatal: true
 
+- name: Cleanup the secrets
+  file:
+    path: "{{ ydb_dir }}/certs/secret"
+    state: absent
+
+- name: Transfer the secrets
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
+  when: ydb_cluster_extension is defined
+
 - name: Wait for storage node startup
   command: "{{ ydb_dir }}/home/wait_initial.sh {{ inventory_hostname }}"
   become: true
@@ -19,6 +41,21 @@
 
 - name: Initial YDB cluster setup
   block:
+    - name: Add the storage initialization script
+      template:
+        src: init_storage.j2
+        dest: "{{ ydb_dir }}/home/init_storage.sh"
+        group: ydb
+        owner: ydb
+        mode: '0755'
+    - name: Add the password initialization script
+      template:
+        src: init_password.j2
+        dest: "{{ ydb_dir }}/home/init_password.sh"
+        group: ydb
+        owner: ydb
+        mode: '0755'
+      when: ydb_cluster_extension is undefined
     - name: Initialize the YDB storage
       command: "{{ ydb_dir }}/home/init_storage.sh {{ inventory_hostname }}"
       become: true
@@ -28,11 +65,18 @@
       become: true
       become_user: ydb
     - name: Transfer the secrets
-      copy: src=secret dest={{ ydb_dir }}/certs/secret
+      copy:
+        src: secret
+        dest: "{{ ydb_dir }}/certs/secret"
+        group: ydb
+        owner: ydb
+        mode: '0700'
+      when: ydb_cluster_extension is undefined
     - name: Set the initial cluster password
       command: "{{ ydb_dir }}/home/init_password.sh {{ inventory_hostname }}"
       become: true
       become_user: ydb
+      when: ydb_cluster_extension is undefined
   run_once: true
 
 - name: Cleanup the transferred secrets
diff --git a/roles/ydbd_static/templates/init_password.j2 b/roles/ydbd_init/templates/init_password.j2
similarity index 100%
rename from roles/ydbd_static/templates/init_password.j2
rename to roles/ydbd_init/templates/init_password.j2
diff --git a/roles/ydbd_static/templates/init_storage.j2 b/roles/ydbd_init/templates/init_storage.j2
similarity index 100%
rename from roles/ydbd_static/templates/init_storage.j2
rename to roles/ydbd_init/templates/init_storage.j2
diff --git a/roles/ydbd_static/templates/safe_format.j2 b/roles/ydbd_init/templates/safe_format.j2
similarity index 100%
rename from roles/ydbd_static/templates/safe_format.j2
rename to roles/ydbd_init/templates/safe_format.j2
diff --git a/roles/ydbd_newdb/tasks/main.yml b/roles/ydbd_newdb/tasks/main.yml
index b332305..56b4500 100644
--- a/roles/ydbd_newdb/tasks/main.yml
+++ b/roles/ydbd_newdb/tasks/main.yml
@@ -3,10 +3,22 @@
 
 - name: YDB database creation
   block:
+    - name: Add the database creation script
+      template:
+        src: create_database.j2
+        dest: "{{ ydb_dir }}/home/create_database.sh"
+        group: ydb
+        owner: ydb
+        mode: '0755'
     - name: Transfer the secrets
-      copy: src=secret dest={{ ydb_dir }}/certs/secret
+      copy:
+        src: secret
+        dest: "{{ ydb_dir }}/certs/secret"
+        group: ydb
+        owner: ydb
+        mode: '0700'
     - name: Run the database creation script
-      command: "{{ ydb_dir }}/home/create_database.sh {{ inventory_hostname }} {{ ydb_dbname }} {{ ydb_default_groups }}"
+      command: "{{ ydb_dir }}/home/create_database.sh {{ inventory_hostname }} {{ ydb_dbname }} {{ ydb_pool_kind }} {{ ydb_default_groups }}"
       become: true
       become_user: ydb
     - name: Cleanup the transferred secrets
diff --git a/roles/ydbd_static/templates/create_database.j2 b/roles/ydbd_newdb/templates/create_database.j2
similarity index 96%
rename from roles/ydbd_static/templates/create_database.j2
rename to roles/ydbd_newdb/templates/create_database.j2
index e93a2fc..46d49c0 100644
--- a/roles/ydbd_static/templates/create_database.j2
+++ b/roles/ydbd_newdb/templates/create_database.j2
@@ -3,6 +3,7 @@
 # Parameters:
 # * static node fqdn
 # * database name
+# * storage pool name
 # * initial number of storage groups
 
 set +e
@@ -10,12 +11,12 @@ set +u
 
 DB_ENDPOINT=grpcs://"$1":2135
 DB_DOMAIN=/{{ ydb_domain }}
-DB_POOL={{ ydb_pool_kind }}
 CAFILE={{ ydb_dir }}/certs/ca.crt
 TOKEN={{ ydb_dir }}/home/ydbd-token-file
 PASSFILE={{ ydb_dir }}/certs/secret
 DB_NAME="$2"
-DB_GROUPS="$3"
+DB_POOL="$3"
+DB_GROUPS="$4"
 
 LD_LIBRARY_PATH={{ ydb_dir }}/lib
 export LD_LIBRARY_PATH
diff --git a/roles/ydbd_rolling_dynamic/tasks/restart_dynamic.yml b/roles/ydbd_rolling_dynamic/tasks/restart_dynamic.yml
index 1ab2307..d88fcaa 100644
--- a/roles/ydbd_rolling_dynamic/tasks/restart_dynamic.yml
+++ b/roles/ydbd_rolling_dynamic/tasks/restart_dynamic.yml
@@ -12,7 +12,12 @@
   any_errors_fatal: true
 
 - name: Transfer the secrets to {{ dynnode_name }}
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   delegate_to: "{{ dynnode_name }}"
   delegate_facts: true
   any_errors_fatal: true
diff --git a/roles/ydbd_rolling_static/tasks/restart_static.yml b/roles/ydbd_rolling_static/tasks/restart_static.yml
index d4e3d10..0ef081d 100644
--- a/roles/ydbd_rolling_static/tasks/restart_static.yml
+++ b/roles/ydbd_rolling_static/tasks/restart_static.yml
@@ -10,7 +10,12 @@
   any_errors_fatal: true
 
 - name: Transfer the secrets
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   delegate_to: "{{ snode_name }}"
   delegate_facts: true
   any_errors_fatal: true
diff --git a/roles/ydbd_static/tasks/main.yml b/roles/ydbd_static/tasks/main.yml
index 0171764..19cad46 100644
--- a/roles/ydbd_static/tasks/main.yml
+++ b/roles/ydbd_static/tasks/main.yml
@@ -1,31 +1,45 @@
 ---
 # ydbd static node deployment
 
-- name: Create the YDB audit directory for the storage node
-  file: state=directory path={{ ydb_dir }}/audit/storage group=ydb owner=ydb mode='700'
-
-- name: Generate the static node service files
-  template:
-    src: static-service.j2
-    dest: "/etc/systemd/system/ydbd-storage.service"
+- name: Create the YDB audit base directory
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
-- name: Add the disk formatting script
-  template: src=safe_format.j2 dest={{ ydb_dir }}/home/safe_format.sh mode='755'
+- name: Create the YDB audit directory for the storage node
+  file:
+    state: directory
+    path: "{{ ydb_dir }}/audit/storage"
+    group: ydb
+    owner: ydb
+    mode: '0700'
 
 - name: Add the static node startup wait script
-  template: src=wait_initial.j2 dest={{ ydb_dir }}/home/wait_initial.sh mode='755'
+  template:
+    src: wait_initial.j2
+    dest: "{{ ydb_dir }}/home/wait_initial.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
 
 - name: Add the storage recovery wait script
-  template: src=wait_normal.j2 dest={{ ydb_dir }}/home/wait_normal.sh mode='755'
-
-- name: Add the storage initialization script
-  template: src=init_storage.j2 dest={{ ydb_dir }}/home/init_storage.sh mode='755'
-
-- name: Add the password initialization script
-  template: src=init_password.j2 dest={{ ydb_dir }}/home/init_password.sh mode='755'
+  template:
+    src: wait_normal.j2
+    dest: "{{ ydb_dir }}/home/wait_normal.sh"
+    group: ydb
+    owner: ydb
+    mode: '0755'
 
-- name: Add the database creation script
-  template: src=create_database.j2 dest={{ ydb_dir }}/home/create_database.sh mode='755'
+- name: Generate the static node service files
+  template:
+    src: static-service.j2
+    dest: "/etc/systemd/system/ydbd-storage.service"
+    group: root
+    owner: root
+    mode: '0644'
 
 - name: Refresh systemd services configuration
   ansible.builtin.systemd:
diff --git a/roles/ydbd_upgrade_dynamic/tasks/upgrade_dynamic.yml b/roles/ydbd_upgrade_dynamic/tasks/upgrade_dynamic.yml
index 6f19c24..c12537f 100644
--- a/roles/ydbd_upgrade_dynamic/tasks/upgrade_dynamic.yml
+++ b/roles/ydbd_upgrade_dynamic/tasks/upgrade_dynamic.yml
@@ -52,7 +52,12 @@
   any_errors_fatal: true
 
 - name: Transfer the secrets to {{ dynnode_name }}
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   delegate_to: "{{ dynnode_name }}"
   delegate_facts: true
   any_errors_fatal: true
diff --git a/roles/ydbd_upgrade_static/tasks/upgrade_static.yml b/roles/ydbd_upgrade_static/tasks/upgrade_static.yml
index 375fa59..b64ed54 100644
--- a/roles/ydbd_upgrade_static/tasks/upgrade_static.yml
+++ b/roles/ydbd_upgrade_static/tasks/upgrade_static.yml
@@ -50,7 +50,12 @@
   any_errors_fatal: true
 
 - name: Transfer the secrets
-  copy: src=secret dest={{ ydb_dir }}/certs/secret
+  copy:
+    src: secret
+    dest: "{{ ydb_dir }}/certs/secret"
+    group: ydb
+    owner: ydb
+    mode: '0700'
   delegate_to: "{{ snode_name }}"
   delegate_facts: true
   any_errors_fatal: true
diff --git a/tls/ydb-ca-update.sh b/tls/ydb-ca-update.sh
index 46703ad..c84699f 100755
--- a/tls/ydb-ca-update.sh
+++ b/tls/ydb-ca-update.sh
@@ -20,7 +20,7 @@ cat >ca.cnf <<EOF
 default_ca = CA_default
 
 [ CA_default ]
-default_days = 365
+default_days = 731
 database = index.txt
 serial = serial.txt
 default_md = sha256
@@ -62,7 +62,7 @@ fi
 
 if [ ! -f certs/ca.crt ]; then
     echo "** Generating CA certificate"
-    openssl req -new -x509 -config ca.cnf -key secure/ca.key -out certs/ca.crt -days 1830 -batch
+    openssl req -new -x509 -config ca.cnf -key secure/ca.key -out certs/ca.crt -days 3660 -batch
 fi
 
 [ -f index.txt ] || touch index.txt
@@ -87,7 +87,7 @@ distinguished_name = distinguished_name
 req_extensions = extensions
 
 [ distinguished_name ]
-organizationName = YDB
+organizationName = YDB Self-Signed Authority
 
 [ extensions ]
 subjectAltName = @alt_names