diff --git a/defaults/main.yml b/defaults/main.yml
index e66fcaf2..309a68e1 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -237,8 +237,11 @@ keystone_ssl: false
 keystone_ssl_cert: /etc/ssl/certs/keystone.pem
 keystone_ssl_key: /etc/ssl/private/keystone.key
 keystone_ssl_ca_cert: /etc/ssl/certs/keystone-ca.pem
-keystone_ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1.0 -TLSv1.1"
-keystone_ssl_cipher_suite: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
+keystone_ssl_protocol: "{{ ssl_protocol | default('ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1') }}"
+# TLS v1.2 and below
+keystone_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite | default(ssl_cipher_suite_tls12 | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS')) }}"
+# TLS v1.3
+keystone_ssl_cipher_suite_tls13: "{{ ssl_cipher_suite_tls13 | default('TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256') }}"
 
 # if using a self-signed certificate, set this to true to regenerate it
 keystone_ssl_self_signed_regen: false
diff --git a/releasenotes/notes/tls_variables-5d7db8f80f158f0d.yaml b/releasenotes/notes/tls_variables-5d7db8f80f158f0d.yaml
new file mode 100644
index 00000000..a81982f3
--- /dev/null
+++ b/releasenotes/notes/tls_variables-5d7db8f80f158f0d.yaml
@@ -0,0 +1,6 @@
+---
+deprecations:
+  - |
+    The variable 'keystone_ssl_cipher_suite' is deprecated in favour of
+    'keystone_ssl_cipher_suite_tls12' which will continue to manage
+    configuration of ciphers for TLS v1.2 and earlier.
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 9a450115..c23d0cee 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -31,7 +31,12 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     SSLCompression Off
     SSLProtocol {{ keystone_ssl_protocol }}
     SSLHonorCipherOrder On
-    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
+    {% if keystone_ssl_cipher_suite_tls12 != "" -%}
+    SSLCipherSuite {{ keystone_ssl_cipher_suite_tls12 }}
+    {% endif -%}
+    {% if keystone_ssl_cipher_suite_tls13 != "" -%}
+    SSLCipherSuite TLSv1.3 {{ keystone_ssl_cipher_suite_tls13 }}
+    {% endif -%}
     SSLOptions +StdEnvVars +ExportCertData
     {% endif -%}
     {% if keystone_sp_apache_mod_auth_openidc -%}
diff --git a/tests/os_keystone-overrides.yml b/tests/os_keystone-overrides.yml
index 04355a31..06965130 100644
--- a/tests/os_keystone-overrides.yml
+++ b/tests/os_keystone-overrides.yml
@@ -55,5 +55,6 @@ haproxy_default_services:
       haproxy_backend_options:
         - "httpchk HEAD /"
 
-ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+ssl_cipher_suite_tls12: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
+ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
 haproxy_ssl: false