diff --git a/manifests/profile/base/designate/api.pp b/manifests/profile/base/designate/api.pp
index 9301684fe..4e97650bc 100644
--- a/manifests/profile/base/designate/api.pp
+++ b/manifests/profile/base/designate/api.pp
@@ -23,27 +23,75 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Example with hiera:
+#     apache_certificates_specs:
+#       httpd-internal_api:
+#         hostname: <overcloud controller fqdn>
+#         service_certificate: <service certificate path>
+#         service_key: <service key path>
+#         principal: "haproxy/<overcloud controller fqdn>"
+#   Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*designate_network*]
+#   (Optional) The network name where the designate endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('designate_api_network', undef)
+#
+# DEPRECATED PARAMETERS
+#
 # [*listen_ip*]
-#   (Optional) The IP on which the API should listen.
-#   Defaults to 0.0.0.0
+#   (Optional) The IP on which the API should listen.  (now set by hiera via
+#   designate::wsgi::apache)
+#   Defaults to undef
 #
 # [*listen_port*]
-#   (Optional) The port on which the API should listen.
-#   Defaults to 9001
+#   (Optional) The port on which the API should listen. (no longer needed,
+#   listen port gets default value from designate::wsgi::apache)
+#   Defaults to undef
 #
 class tripleo::profile::base::designate::api (
-  $step           = Integer(hiera('step')),
-  $listen_ip      = '0.0.0.0',
-  $listen_port    = '9001',
+  $step                = Integer(hiera('step')),
+  $certificates_specs  = hiera('apache_certificates_specs', {}),
+  $enable_internal_tls = hiera('enable_internal_tls', false),
+  $designate_network   = hiera('designate_api_network', undef),
+  $listen_ip           = undef,
+  $listen_port         = undef
 ) {
-
   include tripleo::profile::base::designate
   include tripleo::profile::base::designate::authtoken
 
+  if $enable_internal_tls {
+    if !$designate_network {
+      fail('designate_api_network is not set in the hieradata.')
+    }
+    $tls_certfile = $certificates_specs["httpd-${designate_network}"]['service_certificate']
+    $tls_keyfile = $certificates_specs["httpd-${designate_network}"]['service_key']
+  } else {
+    $tls_certfile = undef
+    $tls_keyfile = undef
+  }
+
   if ($step >= 3) {
-    $listen_uri = normalize_ip_for_uri($listen_ip)
-    class { 'designate::api':
-      listen => "${listen_uri}:${listen_port}",
+    # TODO: remove once the tripleo heat template changes merge
+    if $listen_ip and $listen_port {
+      $listen_uri = normalize_ip_for_uri($listen_ip)
+      class { 'designate::api':
+        listen => "${listen_uri}:${listen_port}"
+      }
+    } else {
+      include tripleo::profile::base::apache
+      class { 'designate::wsgi::apache':
+        ssl_cert => $tls_certfile,
+        ssl_key  => $tls_keyfile
+      }
+      include designate::api
     }
     include designate::healthcheck
   }
diff --git a/spec/classes/tripleo_profile_base_designate_api_spec.rb b/spec/classes/tripleo_profile_base_designate_api_spec.rb
index 038a8998e..58fe28fe0 100644
--- a/spec/classes/tripleo_profile_base_designate_api_spec.rb
+++ b/spec/classes/tripleo_profile_base_designate_api_spec.rb
@@ -41,6 +41,8 @@ eos
         is_expected.to contain_class('tripleo::profile::base::designate::api')
         is_expected.to contain_class('tripleo::profile::base::designate')
         is_expected.to contain_class('tripleo::profile::base::designate::authtoken')
+        is_expected.to_not contain_class('tripleo::profile::base::apache')
+        is_expected.to_not contain_class('designate::wsgi::apache')
         is_expected.to_not contain_class('designate::api')
         is_expected.to_not contain_class('designate::healthcheck')
       }
@@ -55,13 +57,12 @@ eos
         is_expected.to contain_class('tripleo::profile::base::designate::api')
         is_expected.to contain_class('tripleo::profile::base::designate')
         is_expected.to contain_class('tripleo::profile::base::designate::authtoken')
-        is_expected.to contain_class('designate::api').with(
-          :listen => '0.0.0.0:9001'
-        )
+        is_expected.to contain_class('tripleo::profile::base::apache')
+        is_expected.to contain_class('designate::wsgi::apache')
+        is_expected.to contain_class('designate::api')
         is_expected.to contain_class('designate::healthcheck')
       }
     end
-
   end