diff --git a/ironic_python_agent/agent.py b/ironic_python_agent/agent.py
index 6dd62c5d1..ec520cd63 100644
--- a/ironic_python_agent/agent.py
+++ b/ironic_python_agent/agent.py
@@ -133,7 +133,8 @@ class IronicPythonAgentHeartbeater(threading.Thread):
         try:
             self.api.heartbeat(
                 uuid=self.agent.get_node_uuid(),
-                advertise_address=self.agent.advertise_address
+                advertise_address=self.agent.advertise_address,
+                advertise_protocol=self.agent.advertise_protocol,
             )
             self.error_delay = self.initial_delay
             LOG.info('heartbeat successful')
@@ -165,7 +166,7 @@ class IronicPythonAgent(base.ExecuteCommandMixin):
     def __init__(self, api_url, advertise_address, listen_address,
                  ip_lookup_attempts, ip_lookup_sleep, network_interface,
                  lookup_timeout, lookup_interval, standalone, agent_token,
-                 hardware_initialization_delay=0):
+                 hardware_initialization_delay=0, advertise_protocol='http'):
         super(IronicPythonAgent, self).__init__()
         if bool(cfg.CONF.keyfile) != bool(cfg.CONF.certfile):
             LOG.warning("Only one of 'keyfile' and 'certfile' options is "
@@ -192,6 +193,7 @@ class IronicPythonAgent(base.ExecuteCommandMixin):
             self.heartbeater = IronicPythonAgentHeartbeater(self)
         self.listen_address = listen_address
         self.advertise_address = advertise_address
+        self.advertise_protocol = advertise_protocol
         self.version = pkg_resources.get_distribution('ironic-python-agent')\
             .version
         self.api = app.Application(self, cfg.CONF)
diff --git a/ironic_python_agent/cmd/agent.py b/ironic_python_agent/cmd/agent.py
index 2d449d753..bc92004e2 100644
--- a/ironic_python_agent/cmd/agent.py
+++ b/ironic_python_agent/cmd/agent.py
@@ -46,4 +46,5 @@ def run():
                             CONF.lookup_interval,
                             CONF.standalone,
                             CONF.agent_token,
-                            CONF.hardware_initialization_delay).run()
+                            CONF.hardware_initialization_delay,
+                            CONF.advertise_protocol).run()
diff --git a/ironic_python_agent/config.py b/ironic_python_agent/config.py
index d1c4dc954..7d8adaccf 100644
--- a/ironic_python_agent/config.py
+++ b/ironic_python_agent/config.py
@@ -62,6 +62,12 @@ cli_opts = [
                      'Can be supplied as "ipa-advertise-port" '
                      'kernel parameter.'),
 
+    cfg.StrOpt('advertise_protocol',
+               default=APARAMS.get('ipa-advertise-protocol', 'http'),
+               choices=['http', 'https'],
+               help='Protocol to use for the callback URL. HTTP is used by '
+                    'default, set to "https" if you have HTTPS configured.'),
+
     cfg.IntOpt('ip_lookup_attempts',
                min=1,
                default=int(APARAMS.get('ipa-ip-lookup-attempts', 6)),
diff --git a/ironic_python_agent/ironic_api_client.py b/ironic_python_agent/ironic_api_client.py
index fda420d99..a8a47dbda 100644
--- a/ironic_python_agent/ironic_api_client.py
+++ b/ironic_python_agent/ironic_api_client.py
@@ -105,10 +105,11 @@ class APIClient(object):
                 return MIN_IRONIC_VERSION
         return self._ironic_api_version
 
-    def heartbeat(self, uuid, advertise_address):
+    def heartbeat(self, uuid, advertise_address, advertise_protocol='http'):
         path = self.heartbeat_api.format(uuid=uuid)
 
-        data = {'callback_url': self._get_agent_url(advertise_address)}
+        data = {'callback_url': self._get_agent_url(advertise_address,
+                                                    advertise_protocol)}
 
         api_ver = self._get_ironic_api_version()
 
@@ -209,6 +210,7 @@ class APIClient(object):
         # Got valid content
         raise loopingcall.LoopingCallDone(retvalue=content)
 
-    def _get_agent_url(self, advertise_address):
-        return 'http://{}:{}'.format(netutils.wrap_ipv6(advertise_address[0]),
-                                     advertise_address[1])
+    def _get_agent_url(self, advertise_address, advertise_protocol='http'):
+        return '{}://{}:{}'.format(advertise_protocol,
+                                   netutils.wrap_ipv6(advertise_address[0]),
+                                   advertise_address[1])
diff --git a/ironic_python_agent/tests/unit/test_ironic_api_client.py b/ironic_python_agent/tests/unit/test_ironic_api_client.py
index c0f8bb740..0783216dd 100644
--- a/ironic_python_agent/tests/unit/test_ironic_api_client.py
+++ b/ironic_python_agent/tests/unit/test_ironic_api_client.py
@@ -375,3 +375,7 @@ class TestBaseIronicPythonAgent(base.IronicAgentTest):
     def test_get_agent_url_ipv6(self):
         url = self.api_client._get_agent_url(('1:2::3:4', '9999'))
         self.assertEqual('http://[1:2::3:4]:9999', url)
+
+    def test_get_agent_url_protocol(self):
+        url = self.api_client._get_agent_url(('1:2::3:4', '9999'), 'https')
+        self.assertEqual('https://[1:2::3:4]:9999', url)
diff --git a/releasenotes/notes/advertise-protocol-110ae1587f727e62.yaml b/releasenotes/notes/advertise-protocol-110ae1587f727e62.yaml
new file mode 100644
index 000000000..60cb98556
--- /dev/null
+++ b/releasenotes/notes/advertise-protocol-110ae1587f727e62.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new kernel parameter ``ipa-advertise-protocol`` can be used to change
+    the protocol of the callback URL to ``https``.