diff --git a/os_cloud_config/keystone.py b/os_cloud_config/keystone.py
index 78be854..55bd483 100644
--- a/os_cloud_config/keystone.py
+++ b/os_cloud_config/keystone.py
@@ -137,7 +137,7 @@ def initialize(host, admin_token, admin_email, admin_password,
     :param pki_setup: Boolean for running pki_setup conditionally
     """
 
-    keystone_v2 = _create_admin_client_v2(host, admin_token, ssl, public)
+    keystone_v2 = _create_admin_client_v2(host, admin_token, public)
     keystone_v3 = _create_admin_client_v3(host, admin_token, ssl, public)
 
     _create_roles(keystone_v2, timeout, poll_interval)
@@ -162,7 +162,7 @@ def initialize_for_swift(host, admin_token, ssl=None, public=None):
     """
     LOG.warn('This function is deprecated.')
 
-    keystone = _create_admin_client_v2(host, admin_token, ssl, public)
+    keystone = _create_admin_client_v2(host, admin_token, public)
 
     LOG.debug('Creating swiftoperator role.')
     keystone.roles.create('swiftoperator')
@@ -392,7 +392,7 @@ def _create_user_for_service(keystone, name, password):
             keystone.roles.add_user_role(user, admin_role, admin_tenant)
 
 
-def _create_admin_client_v2(host, admin_token, ssl=None, public=None):
+def _create_admin_client_v2(host, admin_token, public=None):
     """Create Keystone v2 client for admin endpoint.
 
     :param host: ip/hostname of node where Keystone is running
@@ -403,7 +403,7 @@ def _create_admin_client_v2(host, admin_token, ssl=None, public=None):
     """
     # It may not be readily obvious that admin v2 is never available
     # via https. The SSL parameter is just the DNS name to use.
-    admin_url = 'http://%s:35357/v2.0' % (ssl or public or host)
+    admin_url = 'http://%s:35357/v2.0' % (public or host)
     return ksclient_v2.Client(endpoint=admin_url, token=admin_token)
 
 
@@ -416,8 +416,10 @@ def _create_admin_client_v3(host, admin_token, ssl=None, public=None):
     :param public: ip/hostname to use as the public endpoint, if default is
         not suitable
     """
-    admin_url = '%s://%s:35357/v3' % ('https' if ssl else 'http', ssl or
-                                      public or host)
+    # TODO(bnemec): This should respect the ssl parameter, but right now we
+    # don't support running the admin endpoint behind ssl.  Once that is
+    # fixed, this should use ssl when available.
+    admin_url = '%s://%s:35357/v3' % ('http', public or host)
     return ksclient_v3.Client(endpoint=admin_url, token=admin_token)