diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml
index 35c6eedd95..0994bf7bd3 100644
--- a/deployment/nova/nova-libvirt-container-puppet.yaml
+++ b/deployment/nova/nova-libvirt-container-puppet.yaml
@@ -238,6 +238,13 @@ parameters:
     description: The password for the libvirt service when TLS is enabled
     type: string
     hidden: true
+  QemuDefaultTLSVerify:
+    description: >
+      Whether to enable or disable TLS client certificate verification. Enabling this
+      option will reject any client who does not have a certificate signed by the CA
+      in /etc/pki/qemu/ca-cert.pem
+    default: true
+    type: boolean
   LibvirtLogFilters:
     description: Defines a filter in libvirt daemon to select a different
                  logging level for a given category log outputs, as specified
@@ -440,6 +447,7 @@ outputs:
                 generate_service_certificates: true
                 tripleo::profile::base::nova::migration::client::libvirt_tls: true
                 tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
+                nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
                 nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
                 nova::migration::libvirt::listen_address:
                   str_replace:
@@ -753,6 +761,8 @@ outputs:
                                 - get_param: LibvirtNbdCACert
                       - /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
                       - /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
+                      - /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
+                      - /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
                     - null
                 -
                   if:
diff --git a/releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml b/releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml
new file mode 100644
index 0000000000..db13663a0d
--- /dev/null
+++ b/releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    `QemuDefaultTLSVerify` will allow operators to enable or disable TLS client
+    certificate verification. Enabling this option will reject any client
+    who does not have a certificate signed by the CA in
+    /etc/pki/qemu/ca-cert.pem.
+    The default is true and matches libvirt's. We will want to disable this
+    by default in train.