diff --git a/CHANGELOG b/CHANGELOG
index 538bd51..f8824ec 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,12 +1,17 @@
+2015-12-18 Release 0.1.4
+- bugfix: make sure intermediate ca certificates are correctly placed in bundle
+- bugfix: make sure dh parameters are created
+- bugfix: notify service if pem files change
+
 2015-12-18 Release 0.1.3
 - bugfix: using multiple pem-files failed.  Tests added.
 
 2015-12-18 Release 0.1.2
 - relax too-strict validation of strings containing keys and certificates
 
 2015-12-11 Release 0.1.1
 - fix versioned dependency on puppetlabs-stdlib in metadata
 - fix documentation errors and nits
 
 2015-12-11 Release 0.1.0
 - initial release
diff --git a/manifests/config.pp b/manifests/config.pp
index 006bc91..39c2553 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -1,58 +1,58 @@
 # == Class hitch::config
 #
 # This class is called from hitch for service config.
 #
 class hitch::config {
 
   validate_absolute_path($::hitch::config_root)
   validate_absolute_path($::hitch::config_file)
   validate_absolute_path($::hitch::dhparams_file)
 
   if $::hitch::dhparams_content {
     validate_re($::hitch::dhparams_content, 'BEGIN DH PARAMETERS')
   }
 
   file { $::hitch::config_root:
     ensure  => directory,
     recurse => true,
     purge   => $::hitch::purge_config_root,
     owner   => $::hitch::file_owner,
     group   => $::hitch::group,
     mode    => '0750',
   }
 
   concat { $::hitch::config_file:
     ensure => present,
   }
 
   if $::hitch::dhparams_content {
     file { $::hitch::dhparams_file:
       ensure  => present,
       owner   => $::hitch::file_owner,
       group   => $::hitch::group,
       mode    => '0640',
       content => $::hitch::dhparams_content,
     }
   }
   else {
+    exec { "${title} generate dhparams":
+      path    => '/usr/local/bin:/usr/bin:/bin',
+      command => "openssl dhparam 2048 -out ${::hitch::dhparams_file}",
+      creates => $::hitch::dhparams_file,
+    }
+    ->
     file { $::hitch::dhparams_file:
       ensure => present,
       owner  => $::hitch::file_owner,
       group  => $::hitch::group,
       mode   => '0640',
     }
-    ->
-    exec { "${title} generate dhparams":
-      path    => '/usr/local/bin:/usr/bin:/bin',
-      command => "openssl dhparam 2048 -out ${::hitch::dhparams_file}",
-      creates => $::hitch::dhparams_file,
-    }
   }
 
   concat::fragment { "${title} config":
     content => template('hitch/hitch.conf.erb'),
     target  => $::hitch::config_file,
   }
 
   create_resources('hitch::domain', $::hitch::domains)
 }
diff --git a/manifests/domain.pp b/manifests/domain.pp
index 0db3373..c472a3b 100644
--- a/manifests/domain.pp
+++ b/manifests/domain.pp
@@ -1,123 +1,129 @@
 # == Define hitch::domain
 #
 # This define installs pem files to the config root, and configures
 # them in the hitch config file
 #
 define hitch::domain (
   $ensure           = present,
   $cacert_content   = undef,
   $cacert_source    = undef,
   $cert_content     = undef,
   $cert_source      = undef,
   $dhparams_content = undef,
   $dhparams_source  = undef,
   $key_content      = undef,
   $key_source       = undef,
 )
 {
 
   # Parameter validation
 
   validate_re($ensure, ['^present$', '^absent$'])
 
   # Exactly one of $key_source and $key_content
   if ($key_content and $key_source) or (! $key_content and ! $key_source) {
     fail("Hitch::Domain[${title}]: Please provide key_source or key_domain")
   }
   if $key_content {
     validate_re($key_content, 'PRIVATE KEY')
+    $_key_content="${key_content}\n"
   }
 
   # Exactly one of $cert_content and $cert_source
   if ($cert_content and $cert_source) or (!$cert_content and !$cert_source) {
     fail("Hitch::Domain[${title}]: Please provide cert_source or cert_domain")
   }
   if $cert_content {
     validate_re($cert_content, 'CERTIFICATE')
+    $_cert_content="${cert_content}\n"
   }
 
   # One or zero of $cacert_content or $cacert_source
   if ($cacert_content and $cacert_source) {
     fail("Hitch::Domain[${title}]: Please do not specify both cacert_source and cacert_domain")
   }
   if $cacert_content {
     validate_re($cacert_content, 'CERTIFICATE')
+    $_cacert_content="${cacert_content}\n"
   }
 
   # One of $dhparams_content or $dhparams_source, with fallback to
   # $::hitch::dhparams_file
   if ($dhparams_content and $dhparams_source) {
     fail("Hitch::Domain[${title}]: Please do not specify both dhparams_source and dhparams_domain")
   }
   if $dhparams_content {
     validate_re($dhparams_content, 'DH PARAMETERS')
+    $_dhparams_content="${dhparams_content}\n"
   }
 
 
   include ::hitch
   include ::hitch::config
 
   $config_file = $::hitch::config_file
   validate_absolute_path($config_file)
 
   $pem_file="${::hitch::config_root}/${title}.pem"
   validate_absolute_path($pem_file)
 
 
   # Add a line to the hitch config file
   concat::fragment { "hitch::domain ${title}":
     target  => $config_file,
     content => "pem-file = \"${pem_file}\"\n",
+    notify  => Class['hitch::service'],
   }
 
   # Create the pem file, with (optional) ca certificate chain, a
   # certificate, a key, and finally the dh parameters
   concat { $pem_file:
     ensure => $ensure,
     mode   => '0640',
     owner  => $::hitch::file_owner,
     group  => $::hitch::group,
+    notify => Class['hitch::service'],
   }
 
-  if ($cacert_content or $cacert_source) {
-    concat::fragment {"${title} cacert":
-      content => $cacert_content,
-      source  => $cacert_source,
-      target  => $pem_file,
-      order   => '01',
-    }
+  concat::fragment {"${title} key":
+    content => $_key_content,
+    source  => $key_source,
+    target  => $pem_file,
+    order   => '01',
   }
 
   concat::fragment {"${title} cert":
-    content => $cert_content,
+    content => $_cert_content,
     source  => $cert_source,
     target  => $pem_file,
     order   => '02',
   }
 
-  concat::fragment {"${title} key":
-    content => $key_content,
-    source  => $key_source,
-    target  => $pem_file,
-    order   => '03',
+  if ($cacert_content or $cacert_source) {
+    concat::fragment {"${title} cacert":
+      content => $_cacert_content,
+      source  => $cacert_source,
+      target  => $pem_file,
+      order   => '03',
+    }
   }
 
   if ! $dhparams_content {
     if $dhparams_source {
       $_dhparams_source = $dhparams_source
     }
     else {
       $_dhparams_source = $::hitch::dhparams_file
       File[$::hitch::dhparams_file] -> Concat::Fragment["${title} dhparams"]
     }
   }
 
   if ($dhparams_content or $_dhparams_source) {
     concat::fragment {"${title} dhparams":
-      content => $dhparams_content,
+      content => $_dhparams_content,
       source  => $_dhparams_source,
       target  => $pem_file,
       order   => '04',
     }
   }
 }
diff --git a/metadata.json b/metadata.json
index 473636c..2844163 100644
--- a/metadata.json
+++ b/metadata.json
@@ -1,34 +1,34 @@
 {
   "name": "ssm-hitch",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "author": "ssm",
   "summary": "Install and configure Hitch TLS proxy",
   "license": "Apache-2.0",
   "source": "https://github.com/ssm/ssm-hitch.git",
   "project_page": "https://github.com/ssm/ssm-hitch",
   "issues_url": "https://github.com/ssm/ssm-hitch/issues",
   "dependencies": [
     {
       "name": "puppetlabs-stdlib",
       "version_requirement": ">= 4.0.0"
     },
     {
       "name": "puppetlabs-concat",
       "version_requirement": ">= 1.0.0 <= 2.0.0"
     }
   ],
   "operatingsystem_support": [
     {
       "operatingsystem": "Debian",
       "operatingsystemrelease": [
         "8"
       ]
     },
     {
       "operatingsystem": "RedHat",
       "operatingsystemrelease": [
         "7"
       ]
     }
   ]
 }