diff --git a/ironic/common/json_rpc/client.py b/ironic/common/json_rpc/client.py
index c4671a5c73..5880dfba82 100644
--- a/ironic/common/json_rpc/client.py
+++ b/ironic/common/json_rpc/client.py
@@ -198,7 +198,7 @@ class _CallContext(object):
                           or uuidutils.generate_uuid())
 
         scheme = 'http'
-        if CONF.json_rpc.use_ssl:
+        if CONF.json_rpc.client_use_ssl or CONF.json_rpc.use_ssl:
             scheme = 'https'
         url = '%s://%s:%d' % (scheme,
                               netutils.escape_ipv6(self.host),
diff --git a/ironic/conf/json_rpc.py b/ironic/conf/json_rpc.py
index b3f8e06b93..81b39adba9 100644
--- a/ironic/conf/json_rpc.py
+++ b/ironic/conf/json_rpc.py
@@ -43,6 +43,12 @@ opts = [
     cfg.BoolOpt('use_ssl',
                 default=False,
                 help=_('Whether to use TLS for JSON RPC')),
+    cfg.BoolOpt('client_use_ssl',
+                default=False,
+                help=_('Set to True for force TLS connections in the client '
+                       'even if use_ssl is set to False. Only makes sense '
+                       'if server-side TLS is provided outside of Ironic '
+                       '(e.g. with httpd acting as a reverse proxy).')),
     cfg.StrOpt('http_basic_username',
                deprecated_for_removal=True,
                deprecated_reason=_("Use username instead"),
diff --git a/ironic/tests/unit/common/test_json_rpc.py b/ironic/tests/unit/common/test_json_rpc.py
index 41d0d57020..140e44388b 100644
--- a/ironic/tests/unit/common/test_json_rpc.py
+++ b/ironic/tests/unit/common/test_json_rpc.py
@@ -477,6 +477,24 @@ class TestClient(TestCase):
                   'params': {'answer': 42, 'context': self.ctx_json},
                   'id': self.context.request_id})
 
+    def test_call_with_client_ssl(self, mock_session):
+        self.config(use_ssl=False, client_use_ssl=True, group='json_rpc')
+        response = mock_session.return_value.post.return_value
+        response.json.return_value = {
+            'jsonrpc': '2.0',
+            'result': 42
+        }
+        cctx = self.client.prepare('foo.example.com')
+        self.assertEqual('example.com', cctx.host)
+        result = cctx.call(self.context, 'do_something', answer=42)
+        self.assertEqual(42, result)
+        mock_session.return_value.post.assert_called_once_with(
+            'https://example.com:8089',
+            json={'jsonrpc': '2.0',
+                  'method': 'do_something',
+                  'params': {'answer': 42, 'context': self.ctx_json},
+                  'id': self.context.request_id})
+
     def test_cast_success(self, mock_session):
         cctx = self.client.prepare('foo.example.com')
         self.assertEqual('example.com', cctx.host)
diff --git a/releasenotes/notes/rpc-client-ssl-63b0d8ccaf88dae5.yaml b/releasenotes/notes/rpc-client-ssl-63b0d8ccaf88dae5.yaml
new file mode 100644
index 0000000000..65059e6833
--- /dev/null
+++ b/releasenotes/notes/rpc-client-ssl-63b0d8ccaf88dae5.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Adds a new option ``[json_rpc]client_use_ssl``. It can be set to True in
+    situations where server-side TLS is handled by a reverse proxy, and thus
+    ``[json_rpc]use_ssl`` is set to False.