diff --git a/environments/ssl/enable-internal-tls.j2.yaml b/environments/ssl/enable-internal-tls.j2.yaml
index 1bec0f14e2..6ccc578cac 100644
--- a/environments/ssl/enable-internal-tls.j2.yaml
+++ b/environments/ssl/enable-internal-tls.j2.yaml
@@ -9,6 +9,10 @@
 #   A Heat environment file which can be used to enable TLS for the internal
 #   network via certmonger
 parameter_defaults:
+  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Type: string
+  InternalTLSCAFile: /etc/ipa/ca.crt
+
   # ******************************************************
   # Static parameters - these are values that must be
   # included in the environment but should not be changed.
diff --git a/environments/ssl/enable-tls.yaml b/environments/ssl/enable-tls.yaml
index 7b8535e244..07e3ddf911 100644
--- a/environments/ssl/enable-tls.yaml
+++ b/environments/ssl/enable-tls.yaml
@@ -14,6 +14,10 @@ parameter_defaults:
   # Type: boolean
   HorizonSecureCookies: True
 
+  # Specifies the default CA cert to use if TLS is used for services in the internal network.
+  # Type: string
+  InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
+
   # The content of the SSL certificate (without Key) in PEM format.
   # Type: string
   SSLCertificate: |
diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml
index ac61a33ab2..29437b4eaf 100644
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@@ -12,6 +12,9 @@ environments:
       deployment/horizon/horizon-container-puppet.yaml:
         parameters:
           - HorizonSecureCookies
+      deployment/keystone/keystone-container-puppet.yaml:
+        parameters:
+          - InternalTLSCAFile
     static:
       # This should probably be private, but for testing static params I'm
       # setting it as such for now.
@@ -24,6 +27,7 @@ environments:
         |
             The contents of the private key go here
       HorizonSecureCookies: True
+      InternalTLSCAFile: /etc/pki/ca-trust/source/anchors/overcloud-cacert.pem
   -
     name: ssl/enable-internal-tls
     title: Enable SSL on OpenStack Internal Endpoints
@@ -34,6 +38,9 @@ environments:
       common/post.yaml:
         parameters:
           - EnableInternalTLS
+      deployment/keystone/keystone-container-puppet.yaml:
+        parameters:
+          - InternalTLSCAFile
       deployment/nova/nova-base-puppet.yaml:
         parameters:
           - RpcUseSSL
@@ -50,6 +57,7 @@ environments:
       - ServerMetadata
     sample_values:
       EnableInternalTLS: True
+      InternalTLSCAFile: /etc/ipa/ca.crt
       RpcUseSSL: True
       NotifyUseSSL: True
       ServerMetadata: |-2