diff --git a/fuel_ccp_entrypoint/start_script.py b/fuel_ccp_entrypoint/start_script.py
index 0f32aa1..d9917c1 100644
--- a/fuel_ccp_entrypoint/start_script.py
+++ b/fuel_ccp_entrypoint/start_script.py
@@ -178,8 +178,10 @@ def openstackclient_preexec_fn():
         os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
         os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
         os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
-        os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address(
-            'keystone', VARIABLES['keystone']['admin_port'])
+        if VARIABLES['security']['tls']['openstack']['enabled']:
+            os.environ["OS_CACERT"] = CACERT
+        os.environ["OS_AUTH_URL"] = '%s/v3' % address(
+            'keystone', VARIABLES['keystone']['admin_port'], with_scheme=True)
     return result
 
 
@@ -215,7 +217,17 @@ def get_ingress_host(ingress_name):
 
 def address(service, port=None, external=False, with_scheme=False):
     addr = None
-    scheme = 'http'
+    service_name = service.split('-')[0]
+    TLS_SERVICES = ('keystone', 'glance', 'cinder', 'horizon', 'nova',
+                    'neutron', 'heat')
+    openstack_tls = VARIABLES['security']['tls']['openstack']['enabled']
+    etcd_tls = VARIABLES['etcd']['tls']['enabled']
+
+    if ((openstack_tls and service_name in TLS_SERVICES) or
+            (etcd_tls and service_name == 'etcd')):
+        scheme = 'https'
+    else:
+        scheme = 'http'
     if external:
         if not port:
             raise RuntimeError('Port config is required for external address')
@@ -516,11 +528,19 @@ def run_probe(probe):
     if probe["type"] == "exec":
         run_cmd(probe["command"])
     elif probe["type"] == "httpGet":
-        url = "http://{}:{}{}".format(
+        if VARIABLES['security']['tls']['openstack']['enabled']:
+            scheme = 'https'
+            # disable SSL check for probe request
+            verify = False
+        else:
+            scheme = 'http'
+            verify = True
+        url = "{}://{}:{}{}".format(
+            scheme,
             VARIABLES["network_topology"]["private"]["address"],
             probe["port"],
             probe.get("path", "/"))
-        resp = requests.get(url)
+        resp = requests.get(url, verify=verify)
         resp.raise_for_status()
 
 
diff --git a/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py b/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py
index e117579..03a5d70 100644
--- a/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py
+++ b/fuel_ccp_entrypoint/tests/test_fuel_ccp_entrypoint.py
@@ -172,10 +172,16 @@ class TestGetETCDClient(base.TestCase):
                 },
                 "connection_attempts": 3,
                 "connection_delay": 0,
+                "tls": {
+                    "enabled": True,
+                }
             },
             "security": {
                 "tls": {
-                    "enabled": False
+                    "enabled": False,
+                    "openstack": {
+                        "enabled": False
+                    }
                 }
             }
         }
@@ -202,10 +208,16 @@ class TestGetETCDClient(base.TestCase):
                 },
                 "connection_attempts": 3,
                 "connection_delay": 0,
+                "tls": {
+                    "enabled": True,
+                }
             },
             "security": {
                 "tls": {
-                    "enabled": True
+                    "enabled": True,
+                    "openstack": {
+                        "enabled": True
+                    }
                 }
             }
         }