diff --git a/neutron/services/externaldns/drivers/designate/driver.py b/neutron/services/externaldns/drivers/designate/driver.py
index 89d11cdd84f..0681482e360 100644
--- a/neutron/services/externaldns/drivers/designate/driver.py
+++ b/neutron/services/externaldns/drivers/designate/driver.py
@@ -55,6 +55,11 @@ designate_opts = [
     cfg.StrOpt('admin_auth_url',
                help=_('Authorization URL for connecting to designate in admin '
                       'context')),
+    cfg.BoolOpt('insecure', default=False,
+                help=_('Skip cert validation for SSL based admin_auth_url')),
+    cfg.StrOpt('ca_cert',
+               help=_('CA certificate file to use to verify '
+                      'connecting clients')),
     cfg.BoolOpt('allow_reverse_dns_lookup', default=True,
                 help=_('Allow the creation of PTR records')),
     cfg.IntOpt('ipv4_ptr_zone_prefix_size', default=24,
@@ -83,7 +88,11 @@ def get_clients(context):
     global _SESSION
 
     if not _SESSION:
-        _SESSION = session.Session()
+        if CONF.designate.insecure:
+            verify = False
+        else:
+            verify = CONF.designate.ca_cert or True
+        _SESSION = session.Session(verify=verify)
 
     auth = token_endpoint.Token(CONF.designate.url, context.auth_token)
     client = d_client.Client(session=_SESSION, auth=auth)
diff --git a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py
index 364ebfe15e8..821ea9e8d39 100644
--- a/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py
+++ b/neutron/tests/unit/plugins/ml2/extensions/test_dns_integration.py
@@ -13,9 +13,12 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 
+import uuid
+
 import mock
 import netaddr
 from neutron_lib import constants
+import testtools
 
 from neutron import context
 from neutron.db import dns_db
@@ -24,6 +27,7 @@ from neutron.extensions import providernet as pnet
 from neutron import manager
 from neutron.plugins.ml2 import config
 from neutron.plugins.ml2.extensions import dns_integration
+from neutron.services.externaldns.drivers.designate import driver
 from neutron.tests.unit.plugins.ml2 import test_plugin
 
 
@@ -497,3 +501,58 @@ class DNSIntegrationTestCase(test_plugin.Ml2PluginV2TestCase):
         config.cfg.CONF.set_override('dns_domain', DNSDOMAIN)
         net, port, dns_data_db = self._create_port_for_test()
         self._verify_port_dns(net, port, dns_data_db)
+
+
+class TestDesignateClient(testtools.TestCase):
+    """Test case for designate clients """
+
+    TEST_URL = 'http://127.0.0.1:9001/v2'
+    TEST_ADMIN_USERNAME = uuid.uuid4().hex
+    TEST_ADMIN_PASSWORD = uuid.uuid4().hex
+    TEST_ADMIN_TENANT_NAME = uuid.uuid4().hex
+    TEST_ADMIN_TENANT_ID = uuid.uuid4().hex
+    TEST_ADMIN_AUTH_URL = 'http://127.0.0.1:35357/v2.0'
+    TEST_CA_CERT = uuid.uuid4().hex
+
+    TEST_CONTEXT = mock.Mock()
+    TEST_CONTEXT.auth_token = uuid.uuid4().hex
+
+    def setUp(self):
+        super(TestDesignateClient, self).setUp()
+        config.cfg.CONF.set_override('url',
+                                     self.TEST_URL,
+                                     group='designate')
+        config.cfg.CONF.set_override('admin_username',
+                                     self.TEST_ADMIN_USERNAME,
+                                     group='designate')
+        config.cfg.CONF.set_override('admin_password',
+                                     self.TEST_ADMIN_PASSWORD,
+                                     group='designate')
+        config.cfg.CONF.set_override('admin_auth_url',
+                                     self.TEST_ADMIN_AUTH_URL,
+                                     group='designate')
+        config.cfg.CONF.set_override('admin_tenant_id',
+                                     self.TEST_ADMIN_TENANT_ID,
+                                     group='designate')
+        config.cfg.CONF.set_override('admin_tenant_name',
+                                     self.TEST_ADMIN_TENANT_NAME,
+                                     group='designate')
+
+        driver.session.Session = mock.MagicMock()
+
+    def test_insecure_client(self):
+        config.cfg.CONF.set_override('insecure',
+                                     True,
+                                     group='designate')
+        driver.get_clients(self.TEST_CONTEXT)
+        driver.session.Session.assert_called_with(verify=False)
+
+    def test_secure_client(self):
+        config.cfg.CONF.set_override('insecure',
+                                     False,
+                                     group='designate')
+        config.cfg.CONF.set_override('ca_cert',
+                                     self.TEST_CA_CERT,
+                                     group='designate')
+        driver.get_clients(self.TEST_CONTEXT)
+        driver.session.Session.assert_called_with(verify=self.TEST_CA_CERT)
diff --git a/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml b/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml
new file mode 100644
index 00000000000..03d3da592dc
--- /dev/null
+++ b/releasenotes/notes/add-designate-driver-ssl-options-169c299c96f2aff0.yaml
@@ -0,0 +1,16 @@
+---
+prelude: >
+    Add options to designate external dns driver
+    of neutron for SSL based connections. This makes
+    it possible to use neutron with designate in scenario
+    where endpoints are SSL based. Users can specify to
+    skip cert validation or specify path to a valid cert
+    in [designate] section of neutron.conf file.
+features:
+  - Two new options are added to `[designate]` section to
+    support SSL.
+  - First option `insecure` allows to skip SSL validation
+    when creating a keystone session to initate a designate client.
+    Default value is False, which means to always verify connection.
+  - Second option `ca_cert` allows setting path to a valid cert file.
+    Default is None.