diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml
index dbcf8017db..9ed3c0e660 100644
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@@ -71,11 +71,11 @@ parameters:
     description: >
       Whether to enable TLS on the public interface or not.
     type: boolean
-  InternalTLSCAFile:
-    default: '/etc/ipa/ca.crt'
+  PublicTLSCAFile:
+    default: ''
     type: string
     description: Specifies the default CA cert to use if TLS is used for
-                 services in the internal network.
+                 services in the public network.
   EnableInternalTLS:
     type: boolean
     default: false
@@ -766,7 +766,7 @@ outputs:
                   cacert:
                     if:
                       - public_tls_enabled
-                      - {get_param: InternalTLSCAFile}
+                      - {get_param: PublicTLSCAFile}
                       - ''
                   identity_api_version: '3'
                   region_name: {get_param: KeystoneRegion}
diff --git a/environments/public-tls-undercloud.yaml b/environments/public-tls-undercloud.yaml
index 1851b79543..a0fafdf545 100644
--- a/environments/public-tls-undercloud.yaml
+++ b/environments/public-tls-undercloud.yaml
@@ -1,5 +1,6 @@
 parameter_defaults:
   InternalTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
+  PublicTLSCAFile: '/etc/pki/ca-trust/source/anchors/cm-local-ca.pem'
   PublicSSLCertificateAutogenerated: true
 
 resource_registry:
diff --git a/environments/ssl/enable-internal-tls.j2.yaml b/environments/ssl/enable-internal-tls.j2.yaml
index 6ccc578cac..1bec0f14e2 100644
--- a/environments/ssl/enable-internal-tls.j2.yaml
+++ b/environments/ssl/enable-internal-tls.j2.yaml
@@ -9,10 +9,6 @@
 #   A Heat environment file which can be used to enable TLS for the internal
 #   network via certmonger
 parameter_defaults:
-  # Specifies the default CA cert to use if TLS is used for services in the internal network.
-  # Type: string
-  InternalTLSCAFile: /etc/ipa/ca.crt
-
   # ******************************************************
   # Static parameters - these are values that must be
   # included in the environment but should not be changed.
diff --git a/environments/ssl/enable-tls.yaml b/environments/ssl/enable-tls.yaml
index 0b727fd7ac..827eb7e571 100644
--- a/environments/ssl/enable-tls.yaml
+++ b/environments/ssl/enable-tls.yaml
@@ -14,9 +14,9 @@ parameter_defaults:
   # Type: boolean
   HorizonSecureCookies: True
 
-  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Specifies the default CA cert to use if TLS is used for services in the public network.
   # Type: string
-  InternalTLSCAFile: ''
+  PublicTLSCAFile: ''
 
   # The content of the SSL certificate (without Key) in PEM format.
   # Type: string
diff --git a/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml b/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml
new file mode 100644
index 0000000000..cb137d2b6a
--- /dev/null
+++ b/releasenotes/notes/add-publictlscafile-parameter-0fd9c19dcd20be0b.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - Added new PublicTLSCAFile parameter, that is used to set the
+    ca cert in clouds.yaml for keystone public endpoint. This
+    defaults to empty string ('') assuming that the certs are
+    already trusted.
diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml
index 19d7f8f52b..df64c92341 100644
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@@ -14,7 +14,7 @@ environments:
           - HorizonSecureCookies
       deployment/keystone/keystone-container-puppet.yaml:
         parameters:
-          - InternalTLSCAFile
+          - PublicTLSCAFile
     static:
       # This should probably be private, but for testing static params I'm
       # setting it as such for now.
@@ -27,7 +27,7 @@ environments:
         |
             The contents of the private key go here
       HorizonSecureCookies: True
-      InternalTLSCAFile: ''
+      PublicTLSCAFile: ''
   -
     name: ssl/enable-internal-tls
     title: Enable SSL on OpenStack Internal Endpoints
@@ -38,9 +38,6 @@ environments:
       common/post.yaml:
         parameters:
           - EnableInternalTLS
-      deployment/keystone/keystone-container-puppet.yaml:
-        parameters:
-          - InternalTLSCAFile
       deployment/nova/nova-base-puppet.yaml:
         parameters:
           - RpcUseSSL
@@ -57,7 +54,6 @@ environments:
       - ServerMetadata
     sample_values:
       EnableInternalTLS: True
-      InternalTLSCAFile: /etc/ipa/ca.crt
       RpcUseSSL: True
       NotifyUseSSL: True
       ServerMetadata: |-2