diff --git a/etc/octavia.conf b/etc/octavia.conf
index 8481ca6d1b..a8ff0e4e56 100644
--- a/etc/octavia.conf
+++ b/etc/octavia.conf
@@ -131,13 +131,21 @@
 # cert_manager = barbican_cert_manager
 # For Barbican authentication (if using any Barbican based cert class)
 # barbican_auth = barbican_acl_auth
-#
-# Region in Identity service catalog to use for communication with the Barbican service.
+
+# Settings for the key manager endpoint (such as Barbican)
+
+# Region in Identity service catalog to use for communication with the key manager service.
 # region_name =
-#
-# Endpoint type to use for communication with the Barbican service.
+
+# Endpoint type to use for communication with the key manager service.
 # endpoint_type = publicURL
 
+# CA certificates file to verify key manager connections when TLS is enabled
+# ca_certificates_file =
+
+# Disable certificate validation on SSL connections
+# insecure = False
+
 [compute]
 # The maximum attempts to retry an action with the compute service.
 # max_retries = 15
diff --git a/octavia/common/config.py b/octavia/common/config.py
index 1cc92d8b06..67474ba189 100644
--- a/octavia/common/config.py
+++ b/octavia/common/config.py
@@ -526,7 +526,8 @@ certificate_opts = [
                default='publicURL',
                help='The endpoint_type to be used for barbican service.'),
     cfg.StrOpt('ca_certificates_file',
-               help=_('CA certificates file path')),
+               help=_('CA certificates file path for the key manager service '
+                      '(such as Barbican).')),
     cfg.BoolOpt('insecure',
                 default=False,
                 help=_('Disable certificate validation on SSL connections ')),