diff --git a/playbooks/roles/bifrost-ironic-install/defaults/main.yml b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
index d38274584..e78330e65 100644
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@@ -20,11 +20,18 @@ ci_testing: false
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
 
+# Normally this would setting would be http in a bifrost installation
+# without TLS. This setting allows a user to override the setting in case
+# the local webserver has been updated to support HTTPS.
+# Note: Users wishing to leverage HTTPS should reference the iPXE
+# documentation at http://ipxe.org/crypto
+ipa_file_protocol: "http"
+
 ipa_kernel: "{{http_boot_folder}}/ipa.vmlinuz"
 ipa_ramdisk: "{{http_boot_folder}}/ipa.initramfs"
-ipa_kernel_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
+ipa_kernel_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
 ipa_kernel_upstream_url: http://tarballs.openstack.org/ironic-python-agent/coreos/files/coreos_production_pxe.vmlinuz
-ipa_ramdisk_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
+ipa_ramdisk_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
 ipa_ramdisk_upstream_url: http://tarballs.openstack.org/ironic-python-agent/coreos/files/coreos_production_pxe_image-oem.cpio.gz
 deploy_image_filename: "deployment_image.qcow2"
 deploy_image: "{{http_boot_folder}}/{{deploy_image_filename}}"
diff --git a/playbooks/roles/ironic-enroll-dynamic/README.md b/playbooks/roles/ironic-enroll-dynamic/README.md
index d95fbaf95..a9570f442 100644
--- a/playbooks/roles/ironic-enroll-dynamic/README.md
+++ b/playbooks/roles/ironic-enroll-dynamic/README.md
@@ -26,6 +26,13 @@ ipa_ramdisk: The ramdisk url, image id, or file representing the ramdisk
              image to utilize to deploy this node. This should be the ramdisk
              used for the Ironic Python Agent.
 
+ipa_file_protocol: The protocol to utilize to access IPA files. The default is
+                   to utilize HTTP in generated HTTP URLs for bifrost, however
+                   this setting allows a user to change that default if they
+                   they have a modified local webserver configuration.
+                   Do note, that a user wishing to utilize HTTPS may wish to
+                   review the iPXE documentation: http://ipxe.org/crypto
+
 This role expects a data structure similar to the one below, however it should
 be understood that the individual entries under power can vary based on power
 driver required.
diff --git a/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml b/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
index fdaa3a983..445f7c90a 100644
--- a/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
+++ b/playbooks/roles/ironic-enroll-dynamic/defaults/main.yml
@@ -6,5 +6,12 @@ nginx_port: 8080
 network_interface: "virbr0"
 ans_network_interface: "{{ network_interface | replace('-', '_') }}"
 
-ipa_kernel_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
-ipa_ramdisk_url: "http://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
+# Normally this would setting would be http in a bifrost installation
+# without TLS. This setting allows a user to override the setting in case
+# the local webserver has been updated to support HTTPS.
+# Note: Users wishing to leverage HTTPS should reference the iPXE
+# documentation at http://ipxe.org/crypto
+ipa_file_protocol: "http"
+
+ipa_kernel_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.vmlinuz"
+ipa_ramdisk_url: "{{ ipa_file_protocol }}://{{ hostvars[inventory_hostname]['ansible_' + ans_network_interface]['ipv4']['address'] }}:{{nginx_port}}/ipa.initramfs"
diff --git a/releasenotes/notes/generated-ipa-url-protocol-1a5a2bfc8e20db9b.yaml b/releasenotes/notes/generated-ipa-url-protocol-1a5a2bfc8e20db9b.yaml
new file mode 100644
index 000000000..7925479aa
--- /dev/null
+++ b/releasenotes/notes/generated-ipa-url-protocol-1a5a2bfc8e20db9b.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - Bifrost traditionally utilized a generated HTTP URL to
+    point ironic to the location of IPA, which is utilized
+    for the boot sequence of machines. A user may now override
+    that default and explicitly choose https if their
+    environment has been pre-configured such that HTTPS
+    support is in place.