diff --git a/manifests/init.pp b/manifests/init.pp
index a62ffbbf5..ee92b2087 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -587,16 +587,21 @@ removed in a future realse. Use keystone::db::database_max_overflow instead')
   # ssl config
   if ($enable_ssl) {
     keystone_config {
-      'ssl/enable':              value  => true;
-      'ssl/certfile':            value  => $ssl_certfile;
-      'ssl/keyfile':             value  => $ssl_keyfile;
-      'ssl/ca_certs':            value  => $ssl_ca_certs;
-      'ssl/ca_key':              value  => $ssl_ca_key;
-      'ssl/cert_subject':        value  => $ssl_cert_subject;
+      'ssl/enable':       value  => true;
+      'ssl/certfile':     value  => $ssl_certfile;
+      'ssl/keyfile':      value  => $ssl_keyfile;
+      'ssl/ca_certs':     value  => $ssl_ca_certs;
+      'ssl/ca_key':       value  => $ssl_ca_key;
+      'ssl/cert_subject': value  => $ssl_cert_subject;
     }
   } else {
     keystone_config {
-      'ssl/enable':              value  => false;
+      'ssl/enable':       value  => false;
+      'ssl/certfile':     value  => $::os_service_default;
+      'ssl/keyfile':      value  => $::os_service_default;
+      'ssl/ca_certs':     value  => $::os_service_default;
+      'ssl/ca_key':       value  => $::os_service_default;
+      'ssl/cert_subject': value  => $::os_service_default;
     }
   }
 
diff --git a/spec/classes/keystone_init_spec.rb b/spec/classes/keystone_init_spec.rb
index 5d9ba8c51..b61dbc6f3 100644
--- a/spec/classes/keystone_init_spec.rb
+++ b/spec/classes/keystone_init_spec.rb
@@ -41,6 +41,11 @@ describe 'keystone' do
         is_expected.to contain_keystone_config('revoke/driver').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('policy/driver').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('ssl/enable').with_value(false)
+        is_expected.to contain_keystone_config('ssl/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/ca_certs').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/ca_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/cert_subject').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)
 
         is_expected.to contain_oslo__middleware('keystone_config').with(
@@ -132,6 +137,11 @@ describe 'keystone' do
         is_expected.to contain_keystone_config('revoke/driver').with_value('sql')
         is_expected.to contain_keystone_config('policy/driver').with_value('sql')
         is_expected.to contain_keystone_config('ssl/enable').with_value(false)
+        is_expected.to contain_keystone_config('ssl/certfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/keyfile').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/ca_certs').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/ca_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_keystone_config('ssl/cert_subject').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_keystone_config('token/revoke_by_id').with_value(true)
 
         is_expected.to contain_oslo__middleware('keystone_config').with(