diff --git a/devstack/lib/ironic b/devstack/lib/ironic
index beb651610c..227784e78a 100644
--- a/devstack/lib/ironic
+++ b/devstack/lib/ironic
@@ -157,6 +157,10 @@ IRONIC_LIBVIRT_HOOKS_PATH=${IRONIC_LIBVIRT_HOOKS_PATH:-/etc/libvirt/hooks/}
 # keystone and noauth.
 IRONIC_AUTH_STRATEGY=${IRONIC_AUTH_STRATEGY:-keystone}
 
+# By default, terminal SSL certificate is disabled.
+IRONIC_TERMINAL_SSL=${IRONIC_TERMINAL_SSL:-False}
+IRONIC_TERMINAL_CERT_DIR=${IRONIC_TERMINAL_CERT_DIR:-$IRONIC_DATA_DIR/terminal_cert/}
+
 # get_pxe_boot_file() - Get the PXE/iPXE boot file path
 function get_pxe_boot_file {
     local relpath=syslinux/pxelinux.0
@@ -384,6 +388,21 @@ function configure_ironic_conductor {
     iniset $IRONIC_CONF_FILE pxe tftp_server $IRONIC_TFTPSERVER_IP
     iniset $IRONIC_CONF_FILE pxe tftp_root $IRONIC_TFTPBOOT_DIR
     iniset $IRONIC_CONF_FILE pxe tftp_master_path $IRONIC_TFTPBOOT_DIR/master_images
+    if [[ "$IRONIC_TERMINAL_SSL" == "True" ]]; then
+        # Make sure the cert directory exist
+        sudo mkdir -p $IRONIC_TERMINAL_CERT_DIR
+        sudo chown $STACK_USER $IRONIC_TERMINAL_CERT_DIR
+        iniset $IRONIC_CONF_FILE console terminal_cert_dir $IRONIC_TERMINAL_CERT_DIR
+        # Generate the SSL certificate
+        openssl req \
+            -x509 \
+            -days 3650 \
+            -newkey rsa:1024 \
+            -nodes \
+            -keyout $IRONIC_TERMINAL_CERT_DIR/certificate.pem.key \
+            -out $IRONIC_TERMINAL_CERT_DIR/certificate.pem \
+            -subj '/O=OpenStack/OU=DevStack Servers'
+    fi
 
     local pxe_params="nofb nomodeset vga=normal console=ttyS0"
     if is_deployed_with_ipa_ramdisk; then