diff --git a/senlin/conf/authentication.py b/senlin/conf/authentication.py
index 65547062f..1a2617ccc 100644
--- a/senlin/conf/authentication.py
+++ b/senlin/conf/authentication.py
@@ -9,6 +9,7 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+from keystoneauth1 import loading as ks_loading
 from oslo_config import cfg
 
 from senlin.common.i18n import _
@@ -37,6 +38,7 @@ AUTHENTICATION_OPTS = [
 def register_opts(conf):
     conf.register_group(AUTHENTICATION_GROUP)
     conf.register_opts(AUTHENTICATION_OPTS, group=AUTHENTICATION_GROUP)
+    ks_loading.register_session_conf_options(cfg.CONF, 'authentication')
 
 
 def list_opts():
diff --git a/senlin/drivers/os/keystone_v3.py b/senlin/drivers/os/keystone_v3.py
index b86af9973..b47a25c87 100644
--- a/senlin/drivers/os/keystone_v3.py
+++ b/senlin/drivers/os/keystone_v3.py
@@ -123,6 +123,13 @@ class KeystoneClient(base.DriverBase):
             'verify': cfg.CONF.authentication.verify_ssl,
             'interface': cfg.CONF.authentication.interface,
         }
+        if cfg.CONF.authentication.certfile and \
+           cfg.CONF.authentication.keyfile:
+            creds['cert'] = cfg.CONF.authentication.certfile
+            creds['key'] = cfg.CONF.authentication.keyfile
+        if cfg.CONF.authentication.cafile:
+            creds['cacert'] = cfg.CONF.authentication.cafile
+
         creds.update(**kwargs)
         return creds
 
diff --git a/senlin/drivers/sdk.py b/senlin/drivers/sdk.py
index bbd24a3b4..02e99051b 100644
--- a/senlin/drivers/sdk.py
+++ b/senlin/drivers/sdk.py
@@ -123,6 +123,16 @@ def create_connection(params=None):
     except Exception as ex:
         raise parse_exception(ex)
 
+    if cfg.CONF.authentication.certfile and \
+            cfg.CONF.authentication.keyfile:
+        conn.session.cert = (cfg.CONF.authentication.certfile,
+                             cfg.CONF.authentication.keyfile)
+    if cfg.CONF.authentication.verify_ssl:
+        if cfg.CONF.authentication.cafile:
+            conn.session.verify = cfg.CONF.authentication.cafile
+        else:
+            conn.session.verify = cfg.CONF.authentication.verify_ssl
+
     return conn
 
 
diff --git a/senlin/tests/unit/drivers/test_keystone_v3.py b/senlin/tests/unit/drivers/test_keystone_v3.py
index 37d99f215..7ecd5d9ad 100644
--- a/senlin/tests/unit/drivers/test_keystone_v3.py
+++ b/senlin/tests/unit/drivers/test_keystone_v3.py
@@ -175,6 +175,52 @@ class TestKeystoneV3(base.SenlinTestCase):
         mock_auth.assert_called_once_with(key='value')
         self.assertEqual('abc', user_id)
 
+    def test_get_service_credentials_with_tls(self, mock_create):
+        cfg.CONF.set_override('auth_url', 'FAKE_URL', group='authentication')
+        cfg.CONF.set_override('service_username', 'FAKE_USERNAME',
+                              group='authentication')
+        cfg.CONF.set_override('service_password', 'FAKE_PASSWORD',
+                              group='authentication')
+        cfg.CONF.set_override('service_project_name', 'FAKE_PROJECT',
+                              group='authentication')
+        cfg.CONF.set_override('service_user_domain', 'FAKE_DOMAIN_1',
+                              group='authentication')
+        cfg.CONF.set_override('service_project_domain', 'FAKE_DOMAIN_2',
+                              group='authentication')
+        cfg.CONF.set_override('interface', 'internal',
+                              group='authentication')
+        cfg.CONF.set_override('cafile', '/fake/capath',
+                              group='authentication')
+        cfg.CONF.set_override('certfile', '/fake/certpath',
+                              group='authentication')
+        cfg.CONF.set_override('keyfile', '/fake/keypath',
+                              group='authentication')
+        expected = {
+            'auth_url': 'FAKE_URL',
+            'username': 'FAKE_USERNAME',
+            'password': 'FAKE_PASSWORD',
+            'project_name': 'FAKE_PROJECT',
+            'user_domain_name': 'FAKE_DOMAIN_1',
+            'project_domain_name': 'FAKE_DOMAIN_2',
+            'interface': 'internal',
+            'cert': '/fake/certpath',
+            'key': '/fake/keypath',
+            'cacert': '/fake/capath',
+            'verify': True
+        }
+        actual = kv3.KeystoneClient.get_service_credentials()
+
+        self.assertEqual(expected, actual)
+
+        new_expected = copy.copy(expected)
+        new_expected['key1'] = 'value1'
+        new_expected['password'] = 'NEW_PASSWORD'
+
+        actual = kv3.KeystoneClient.get_service_credentials(
+            key1='value1', password='NEW_PASSWORD')
+
+        self.assertEqual(new_expected, actual)
+
     def test_get_service_credentials(self, mock_create):
         cfg.CONF.set_override('auth_url', 'FAKE_URL', group='authentication')
         cfg.CONF.set_override('service_username', 'FAKE_USERNAME',