diff --git a/ansible/roles/haproxy/defaults/main.yml b/ansible/roles/haproxy/defaults/main.yml
index 9db1d9d03b..24cab906cc 100644
--- a/ansible/roles/haproxy/defaults/main.yml
+++ b/ansible/roles/haproxy/defaults/main.yml
@@ -75,3 +75,5 @@ haproxy_check_timeout: "10s"
 
 # Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options
 haproxy_defaults_balance: "roundrobin"
+
+kolla_externally_managed_cert: False
diff --git a/ansible/roles/haproxy/tasks/config.yml b/ansible/roles/haproxy/tasks/config.yml
index 5c82dbdb67..26946804d7 100644
--- a/ansible/roles/haproxy/tasks/config.yml
+++ b/ansible/roles/haproxy/tasks/config.yml
@@ -101,6 +101,7 @@
   become: true
   when:
     - kolla_enable_tls_external | bool
+    - not kolla_externally_managed_cert | bool
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
   with_items:
@@ -118,6 +119,7 @@
   become: true
   when:
     - kolla_enable_tls_internal | bool
+    - not kolla_externally_managed_cert | bool
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
   with_items:
diff --git a/ansible/roles/haproxy/tasks/precheck.yml b/ansible/roles/haproxy/tasks/precheck.yml
index d0c475f466..0590c7609a 100644
--- a/ansible/roles/haproxy/tasks/precheck.yml
+++ b/ansible/roles/haproxy/tasks/precheck.yml
@@ -46,7 +46,9 @@
   delegate_to: localhost
   register: haproxy_cert_file
   changed_when: false
-  when: kolla_enable_tls_external | bool
+  when:
+    - kolla_enable_tls_external | bool
+    - not kolla_externally_managed_cert | bool
 
 - name: Fail if external haproxy certificate is absent
   run_once: true
@@ -55,6 +57,7 @@
   when:
     - kolla_enable_tls_external | bool
     - not haproxy_cert_file.stat.exists
+    - not kolla_externally_managed_cert | bool
 
 - name: Checking if internal haproxy certificate exists
   run_once: true
@@ -63,7 +66,9 @@
   delegate_to: localhost
   register: haproxy_internal_cert_file
   changed_when: false
-  when: kolla_enable_tls_internal | bool
+  when:
+    - kolla_enable_tls_internal | bool
+    - not kolla_externally_managed_cert | bool
 
 - name: Fail if internal haproxy certificate is absent
   run_once: true
@@ -72,6 +77,7 @@
   when:
     - kolla_enable_tls_internal | bool
     - not haproxy_internal_cert_file.stat.exists
+    - not kolla_externally_managed_cert | bool
 
 - name: Checking the kolla_external_vip_interface is present
   fail: "msg='Please check the kolla_external_vip_interface property - interface {{ kolla_external_vip_interface }} not found'"
diff --git a/ansible/roles/service-cert-copy/defaults/main.yml b/ansible/roles/service-cert-copy/defaults/main.yml
new file mode 100644
index 0000000000..0238b3c8f4
--- /dev/null
+++ b/ansible/roles/service-cert-copy/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+kolla_externally_managed_cert: False
diff --git a/ansible/roles/service-cert-copy/tasks/main.yml b/ansible/roles/service-cert-copy/tasks/main.yml
index c8af5d50a6..2e4b8be089 100644
--- a/ansible/roles/service-cert-copy/tasks/main.yml
+++ b/ansible/roles/service-cert-copy/tasks/main.yml
@@ -28,6 +28,7 @@
     - item.value.haproxy is defined
     - item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
     - item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
+    - not kolla_externally_managed_cert | bool
   with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
   notify:
     - "Restart {{ item.key }} container"
@@ -49,6 +50,7 @@
     - item.value.haproxy is defined
     - item.value.haproxy.values() | selectattr('enabled', 'defined') | map(attribute='enabled') | map('bool') | select | list | length > 0
     - item.value.haproxy.values() | selectattr('tls_backend', 'defined') | map(attribute='tls_backend') | map('bool') | select | list | length > 0
+    - not kolla_externally_managed_cert | bool
   with_dict: "{{ project_services | select_services_enabled_and_mapped_to_host }}"
   notify:
     - "Restart {{ item.key }} container"
diff --git a/doc/source/admin/tls.rst b/doc/source/admin/tls.rst
index 2c0f7835f8..5a93b3cca5 100644
--- a/doc/source/admin/tls.rst
+++ b/doc/source/admin/tls.rst
@@ -322,3 +322,15 @@ The combined certificate and key file ``haproxy.pem`` (which is the default
 value for ``kolla_external_fqdn_cert``) will be generated and stored in the
 ``/etc/kolla/certificates/`` directory, and a copy of the CA certificate
 (``root.crt``) will be stored in the ``/etc/kolla/certificates/ca/`` directory.
+
+Generating your certificates without kolla-ansible
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If you want to manage your TLS certificates outside kolla-ansible directly on
+your hosts, you can do it by setting ``kolla_externally_managed_cert`` to
+``true``. This will make kolla-ansible ignore any copy of certificate from
+the operator to kolla-ansible managed hosts and will keep other configuration
+options for TLS as is.
+
+If using this option, make sure that all certificates are present on the
+appropriate hosts in the appropriate location.
diff --git a/releasenotes/notes/external-tls-72d36e8aa0b6ccaf.yaml b/releasenotes/notes/external-tls-72d36e8aa0b6ccaf.yaml
new file mode 100644
index 0000000000..2a80aceea2
--- /dev/null
+++ b/releasenotes/notes/external-tls-72d36e8aa0b6ccaf.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Add `kolla_externally_managed_cert` option to disable copy of certificates
+    from the operator host to kolla-ansible managed hosts.