diff --git a/ansible/roles/senlin/templates/senlin.conf.j2 b/ansible/roles/senlin/templates/senlin.conf.j2
index 8d5e7465c3..0af30c982a 100644
--- a/ansible/roles/senlin/templates/senlin.conf.j2
+++ b/ansible/roles/senlin/templates/senlin.conf.j2
@@ -14,6 +14,7 @@ workers = {{ senlin_api_workers }}
 
 [authentication]
 auth_url = {{ keystone_internal_url }}
+cafile = {{ openstack_cacert }}
 service_username = {{ senlin_keystone_user }}
 service_password = {{ senlin_keystone_password }}
 service_project_name = service
diff --git a/releasenotes/notes/senlin-authentication-cafile-4fe5e2f79769c872.yaml b/releasenotes/notes/senlin-authentication-cafile-4fe5e2f79769c872.yaml
new file mode 100644
index 0000000000..54dfa7b3f5
--- /dev/null
+++ b/releasenotes/notes/senlin-authentication-cafile-4fe5e2f79769c872.yaml
@@ -0,0 +1,7 @@
+---
+features:
+  - |
+    In the configuration template of the Senlin service the ``cafile``
+    parameter is now set by default in the ``authentication`` section.
+    This way the use of self-signed certificates on the internal Keystone
+    endpoint is also usable in the Senlin service.