diff --git a/extraconfig/post_deploy/undercloud_post.sh b/extraconfig/post_deploy/undercloud_post.sh
index 8f380eead4..bd5a6402a1 100755
--- a/extraconfig/post_deploy/undercloud_post.sh
+++ b/extraconfig/post_deploy/undercloud_post.sh
@@ -29,6 +29,12 @@ export OS_PROJECT_DOMAIN_NAME='Default'
 export OS_USER_DOMAIN_NAME='Default'
 EOF_CAT
 
+if [ -n "$internal_tls_ca_file" ]; then
+    cat >> $HOMEDIR/stackrc <<-EOF_CAT
+export OS_CACERT="$internal_tls_ca_file"
+EOF_CAT
+fi
+
 cat >> $HOMEDIR/stackrc <<-"EOF_CAT"
 # Add OS_CLOUDNAME to PS1
 if [ -z "${CLOUDPROMPT_ENABLED:-}" ]; then
diff --git a/extraconfig/post_deploy/undercloud_post.yaml b/extraconfig/post_deploy/undercloud_post.yaml
index 31305e8a50..2c55b6b562 100644
--- a/extraconfig/post_deploy/undercloud_post.yaml
+++ b/extraconfig/post_deploy/undercloud_post.yaml
@@ -28,6 +28,11 @@ parameters:
     description: >
       Whether the public SSL certificate was autogenerated or not.
     type: boolean
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
   SnmpdReadonlyUserPassword:
     description: The user password for SNMPd with readonly rights running on all Overcloud nodes
     type: string
@@ -90,6 +95,7 @@ resources:
         - name: auth_url
         - name: snmp_readonly_user_password
         - name: enable_validations
+        - name: internal_tls_ca_file
       config: {get_file: ./undercloud_post.sh}
 
   UndercloudPostDeployment:
@@ -104,6 +110,11 @@ resources:
         admin_password: {get_param: AdminPassword}
         snmp_readonly_user_password: {get_param: SnmpdReadonlyUserPassword}
         enable_validations: [get_params: EnableValidations]
+        internal_tls_ca_file:
+          if:
+          - tls_enabled
+          - {get_param: InternalTLSCAFile}
+          - ''
         # if SSL is enabled we use the public virtual ip as the stackrc endpoint
         auth_url:
           if: