diff --git a/etc/octavia.conf b/etc/octavia.conf
index 271c9606f3..472d4cd18d 100644
--- a/etc/octavia.conf
+++ b/etc/octavia.conf
@@ -164,13 +164,21 @@
 # cert_manager = barbican_cert_manager
 # For Barbican authentication (if using any Barbican based cert class)
 # barbican_auth = barbican_acl_auth
-#
-# Region in Identity service catalog to use for communication with the Barbican service.
+
+# Settings for the key manager endpoint (such as Barbican)
+
+# Region in Identity service catalog to use for communication with the key manager service.
 # region_name =
-#
-# Endpoint type to use for communication with the Barbican service.
+
+# Endpoint type to use for communication with the key manager service.
 # endpoint_type = publicURL
 
+# CA certificates file to verify key manager connections when TLS is enabled
+# ca_certificates_file =
+
+# Disable certificate validation on SSL connections
+# insecure = False
+
 [compute]
 # The maximum attempts to retry an action with the compute service.
 # max_retries = 15
diff --git a/octavia/common/config.py b/octavia/common/config.py
index cc4a93a16a..6197b9d039 100644
--- a/octavia/common/config.py
+++ b/octavia/common/config.py
@@ -609,7 +609,8 @@ certificate_opts = [
                default='publicURL',
                help='The endpoint_type to be used for barbican service.'),
     cfg.StrOpt('ca_certificates_file',
-               help=_('CA certificates file path')),
+               help=_('CA certificates file path for the key manager service '
+                      '(such as Barbican).')),
     cfg.BoolOpt('insecure',
                 default=False,
                 help=_('Disable certificate validation on SSL connections ')),