diff --git a/tasks/upgrade/undercloud_ssl_camap.yaml b/tasks/upgrade/undercloud_ssl_camap.yaml
index 587a48a4..267386f3 100644
--- a/tasks/upgrade/undercloud_ssl_camap.yaml
+++ b/tasks/upgrade/undercloud_ssl_camap.yaml
@@ -19,16 +19,62 @@
   ignore_errors: True
 
 - block:
-    - name: register ssl certificate location
+    #
+    # SSL is enabled on uc by default, so here is a way how ssl cert path is resolved
+    #   1. If undercloud_service_certificate configured in undercloud.conf
+    #       use it
+    #   2. Check if generate_service_certificate is specified and set to 'true' in undercloud.conf
+    #       or not present in undercloud.conf (defaults to 'true')
+    #   3. Find autogenerated file in format: /etc/pki/tls/certs/undercloud-[undercloud_public_host].pem
+    #
+    - name: get ssl certificate location from undercloud.conf
       shell: |
-        grep 13000 /etc/haproxy/haproxy.cfg  | awk {'print $6'}
-      become: true
-      become_user: root
-      register: undercloudcert
+        awk -F '=' '/^[[:space:]]*undercloud_service_certificate/ {gsub(/[[:space:]]/, "", $2); print $2}' {{ undercloud_conf }}
+      register: uc_undercloud_service_certificate
+      changed_when: uc_undercloud_service_certificate.stdout|length > 0
+
+    - name: get generate_service_certificate option from undercloud.conf
+      shell: |
+        awk -F '=' '/^[[:space:]]*generate_service_certificate/ {gsub(/[[:space:]]/, "", $2) ; print tolower($2)}' {{ undercloud_conf}}
+      register: uc_generate_service_certificate
+      changed_when: uc_generate_service_certificate.stdout|length > 0
+
+    - name: get undercloud_public_host option from undercloud.conf
+      shell: |
+        awk -F '=' '/^[[:space:]]*undercloud_public_host/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
+      register: uc_undercloud_public_host
+      changed_when: uc_undercloud_public_host.stdout|length > 0
+
+    - name: get undercloud_public_vip option from undercloud.conf
+      # undercloud_public_vip is deprecated name of undercloud_public_host
+      shell: |
+        awk -F '=' '/^[[:space:]]*undercloud_public_vip/ {gsub(/[[:space:]]/, "", $2) ; print $2}' {{ undercloud_conf}}
+      register: uc_undercloud_public_vip
+      changed_when: uc_undercloud_public_vip.stdout|length > 0
+
+    - name: find autogenerated SSL cert
+      vars:
+        uc_ssl_part: "{{ uc_undercloud_public_host.stdout if uc_undercloud_public_host.stdout|length > 0 else uc_undercloud_public_vip.stdout }}"
+      find:
+        path: /etc/pki/tls/certs/
+        patterns: 'undercloud-{{uc_ssl_part}}*.pem$'
+        use_regex: true
+      register: autogenerated_ssl_cert
+
+    - name: fail if SSL cert for undercloud not found
+      fail:
+        msg: cannot determine SSL cert for undercloud
+      when:
+        - uc_undercloud_service_certificate.stdout|length == 0
+        - autogenerated_ssl_cert.files|length == 0
+
+    - name: set undercloud ssl cert fact
+      set_fact:
+        undercloud_cert: "{{ uc_undercloud_service_certificate.stdout if uc_undercloud_service_certificate.stdout else autogenerated_ssl_cert.files[0].path }}"
 
     - name: make a local copy of the certificate
       copy:
-        src: "{{ undercloudcert.stdout }}"
+        src: "{{ undercloud_cert }}"
         dest: "{{ working_dir }}/undercloud.pem"
         owner: stack
         remote_src: true