diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 7834e5ddfede123eb484f32015a94a8808195f22..52fb06f526cc8221ad571334089b6353b36402e0 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -322,6 +322,7 @@ haproxy_user: "openstack"
 haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
 kolla_enable_tls_external: "no"
 kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
+kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
 
 
 ####################
diff --git a/ansible/roles/common/templates/admin-openrc.sh.j2 b/ansible/roles/common/templates/admin-openrc.sh.j2
index 7b5a3939ba3965e7fefd8ac03d1bd67c08880168..ef3890043e8ef3387af37829c7962df60468979c 100644
--- a/ansible/roles/common/templates/admin-openrc.sh.j2
+++ b/ansible/roles/common/templates/admin-openrc.sh.j2
@@ -6,3 +6,6 @@ export OS_USERNAME=admin
 export OS_PASSWORD={{ keystone_admin_password }}
 export OS_AUTH_URL={{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}/v3
 export OS_IDENTITY_API_VERSION=3
+{% if kolla_enable_tls_external | bool and kolla_external_fqdn_cacert %}
+export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% endif %}