diff --git a/defaults/main.yml b/defaults/main.yml
index 327c5853..3f6568b7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -93,12 +93,16 @@ keystone_bind_address: 0.0.0.0
 keystone_memcached_servers: 127.0.0.1
 keystone_memcached_max_compare_and_set_retry: 16
 
-## DB info
+## Database info
+keystone_database_connection_string: >-
+  mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8{% if keystone_galera_use_ssl | bool %}&ssl_ca={{ keystone_galera_ssl_ca_cert }}{% endif %}
 keystone_galera_user: keystone
 keystone_galera_database: keystone
+## Database SSL
+keystone_galera_use_ssl: "{{ galera_use_ssl | default(False) }}"
+keystone_galera_ssl_ca_cert: "{{ galera_ssl_ca_cert | default('/etc/ssl/certs/galera-ca.pem') }}"
 # Database tuning
 keystone_database_enabled: true
-keystone_database_connection_string: mysql+pymysql://{{ keystone_galera_user }}:{{ keystone_container_mysql_password }}@{{ keystone_galera_address }}/{{ keystone_galera_database }}?charset=utf8
 keystone_database_idle_timeout: 200
 keystone_database_min_pool_size: 5
 keystone_database_max_pool_size: 120
diff --git a/tox.ini b/tox.ini
index 320ae09b..53b0fd37 100644
--- a/tox.ini
+++ b/tox.ini
@@ -126,6 +126,17 @@ commands =
     bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
 
 
+[testenv:ssl]
+deps =
+    {[testenv:ansible]deps}
+setenv =
+    {[testenv]setenv}
+    ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True
+commands =
+    bash -c "{toxinidir}/tests/tests-repo-clone.sh"
+    bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
+
+
 [testenv:linters]
 deps =
     {[testenv:ansible]deps}
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index f544563d..7ac8729f 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -29,3 +29,10 @@
     parent: openstack-ansible-uw_apache
     voting: false
     nodeset: centos-7
+
+- job:
+    name: openstack-ansible-keystone-ssl-nv
+    parent: openstack-ansible-functional-ubuntu-xenial
+    voting: false
+    vars:
+      tox_env: ssl
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 51c4c477..6d33cc22 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -24,6 +24,7 @@
         - openstack-ansible-upgrade-ubuntu-xenial
         - openstack-ansible-uw_apache-centos-7-nv
         - openstack-ansible-uw_apache-ubuntu-xenial
+        - openstack-ansible-keystone-ssl-nv
     experimental:
       jobs:
         - openstack-ansible-integrated-deploy-aio
@@ -35,3 +36,4 @@
         - openstack-ansible-functional-ubuntu-xenial
         - openstack-ansible-upgrade-ubuntu-xenial
         - openstack-ansible-uw_apache-ubuntu-xenial
+        - openstack-ansible-keystone-ssl-nv