diff --git a/ansible/roles/nova/defaults/main.yml b/ansible/roles/nova/defaults/main.yml
index c871c7bdc4..3c13a50a88 100644
--- a/ansible/roles/nova/defaults/main.yml
+++ b/ansible/roles/nova/defaults/main.yml
@@ -17,24 +17,28 @@ nova_services:
         external: false
         port: "{{ nova_api_port }}"
         listen_port: "{{ nova_api_listen_port }}"
+        tls_backend: "{{ nova_enable_tls_backend }}"
       nova_api_external:
         enabled: "{{ enable_nova }}"
         mode: "http"
         external: true
         port: "{{ nova_api_port }}"
         listen_port: "{{ nova_api_listen_port }}"
+        tls_backend: "{{ nova_enable_tls_backend }}"
       nova_metadata:
         enabled: "{{ enable_nova }}"
         mode: "http"
         external: false
         port: "{{ nova_metadata_port }}"
         listen_port: "{{ nova_metadata_listen_port }}"
+        tls_backend: "{{ nova_enable_tls_backend }}"
       nova_metadata_external:
         enabled: "{{ enable_nova }}"
         mode: "http"
         external: true
         port: "{{ nova_metadata_port }}"
         listen_port: "{{ nova_metadata_listen_port }}"
+        tls_backend: "{{ nova_enable_tls_backend }}"
   nova-scheduler:
     container_name: "nova_scheduler"
     group: "nova-scheduler"
@@ -190,3 +194,8 @@ nova_git_repository: "{{ kolla_dev_repos_git }}/{{ project_name }}"
 nova_dev_repos_pull: "{{ kolla_dev_repos_pull }}"
 nova_dev_mode: "{{ kolla_dev_mode }}"
 nova_source_version: "{{ kolla_source_version }}"
+
+####################
+# TLS
+####################
+nova_enable_tls_backend: "{{ kolla_enable_tls_backend }}"
diff --git a/ansible/roles/nova/tasks/config.yml b/ansible/roles/nova/tasks/config.yml
index d077643d96..bfd41be697 100644
--- a/ansible/roles/nova/tasks/config.yml
+++ b/ansible/roles/nova/tasks/config.yml
@@ -33,7 +33,7 @@
 
 - include_tasks: copy-certs.yml
   when:
-    - kolla_copy_ca_into_containers | bool
+    - kolla_copy_ca_into_containers | bool or nova_enable_tls_backend | bool
 
 - name: Copying over config.json files for services
   become: true
@@ -83,5 +83,17 @@
   notify:
     - "Restart {{ item.key }} container"
 
+- name: Copying over nova-api-wsgi.conf
+  template:
+    src: "nova-api-wsgi.conf.j2"
+    dest: "{{ node_config_directory }}/nova-api/nova-api-wsgi.conf"
+    mode: "0660"
+  become: true
+  when:
+    - inventory_hostname in groups["nova-api"]
+    - nova_services["nova-api"].enabled | bool
+  notify:
+    - "Restart nova-api container"
+
 - import_tasks: check-containers.yml
   when: kolla_action != "config"
diff --git a/ansible/roles/nova/templates/nova-api-wsgi.conf.j2 b/ansible/roles/nova/templates/nova-api-wsgi.conf.j2
new file mode 100644
index 0000000000..e5bf1f0c41
--- /dev/null
+++ b/ansible/roles/nova/templates/nova-api-wsgi.conf.j2
@@ -0,0 +1,70 @@
+{% set nova_log_dir = '/var/log/kolla/nova' %}
+{% set wsgi_directory = '/usr/bin' if nova_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
+{% if nova_enable_tls_backend | bool %}
+{% if kolla_base_distro in ['centos']  %}
+LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
+{% else %}
+LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
+{% endif %}
+{% endif %}
+Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_api_listen_port }}
+Listen {{ api_interface_address | put_address_in_context('url') }}:{{ nova_metadata_listen_port }}
+
+ServerSignature Off
+ServerTokens Prod
+TraceEnable off
+KeepAliveTimeout {{ kolla_httpd_keep_alive }}
+
+<Directory "{{ wsgi_directory }}">
+    <FilesMatch "^nova-(api-wsgi|metadata-wsgi)$">
+        Options None
+        Require all granted
+    </FilesMatch>
+</Directory>
+
+ErrorLog "{{ nova_log_dir }}/apache-error.log"
+<IfModule log_config_module>
+CustomLog "{{ nova_log_dir }}/apache-access.log" common
+</IfModule>
+
+{% if nova_logging_debug | bool %}
+LogLevel info
+{% endif %}
+
+<VirtualHost *:{{ nova_api_listen_port }}>
+    WSGIDaemonProcess nova-api processes={{ openstack_service_workers }} threads=1 user=nova group=nova display-name=%{GROUP}
+    WSGIProcessGroup nova-api
+    WSGIScriptAlias / {{ wsgi_directory }}/nova-api-wsgi
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog "{{ nova_log_dir }}/nova-api-error.log"
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    CustomLog "{{ nova_log_dir }}/nova-api-access.log" logformat
+{% if nova_enable_tls_backend | bool %}
+    SSLEngine on
+    SSLCertificateFile /etc/nova/certs/nova-cert.pem
+    SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
+{% endif %}
+</VirtualHost>
+
+<VirtualHost *:{{ nova_metadata_listen_port }}>
+    WSGIDaemonProcess nova-metadata processes={{ openstack_service_workers }} threads=1 user=nova group=nova display-name=%{GROUP}
+    WSGIProcessGroup nova-metadata
+    WSGIScriptAlias / {{ wsgi_directory }}/nova-metadata-wsgi
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+    <IfVersion >= 2.4>
+      ErrorLogFormat "%{cu}t %M"
+    </IfVersion>
+    ErrorLog "{{ nova_log_dir }}/nova-metadata-error.log"
+    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
+    CustomLog "{{ nova_log_dir }}/nova-metadata-access.log" logformat
+{% if nova_enable_tls_backend | bool %}
+    SSLEngine on
+    SSLCertificateFile /etc/nova/certs/nova-cert.pem
+    SSLCertificateKeyFile /etc/nova/certs/nova-key.pem
+{% endif %}
+</VirtualHost>
diff --git a/ansible/roles/nova/templates/nova-api.json.j2 b/ansible/roles/nova/templates/nova-api.json.j2
index f52b27ecc0..ea392fcbd9 100644
--- a/ansible/roles/nova/templates/nova-api.json.j2
+++ b/ansible/roles/nova/templates/nova-api.json.j2
@@ -1,17 +1,37 @@
+{% set apache_binary = 'apache2' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd' %}
+{% set apache_conf_dir = 'apache2/conf-enabled' if kolla_base_distro in ['ubuntu', 'debian'] else 'httpd/conf.d' %}
 {
-    "command": "nova-api",
+    "command": "/usr/sbin/{{ apache_binary }} -DFOREGROUND",
     "config_files": [
         {
             "source": "{{ container_config_directory }}/nova.conf",
             "dest": "/etc/nova/nova.conf",
             "owner": "nova",
             "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/nova-api-wsgi.conf",
+            "dest": "/etc/{{ apache_conf_dir }}/nova-api-wsgi.conf",
+            "owner": "nova",
+            "perm": "0600"
         }{% if nova_policy_file is defined %},
         {
             "source": "{{ container_config_directory }}/{{ nova_policy_file }}",
             "dest": "/etc/nova/{{ nova_policy_file }}",
             "owner": "nova",
             "perm": "0600"
+        }{% endif %}{% if nova_enable_tls_backend | bool %},
+        {
+            "source": "{{ container_config_directory }}/nova-cert.pem",
+            "dest": "/etc/nova/certs/nova-cert.pem",
+            "owner": "nova",
+            "perm": "0600"
+        },
+        {
+            "source": "{{ container_config_directory }}/nova-key.pem",
+            "dest": "/etc/nova/certs/nova-key.pem",
+            "owner": "nova",
+            "perm": "0600"
         }{% endif %}
     ],
     "permissions": [
diff --git a/ansible/roles/nova/templates/nova.conf.j2 b/ansible/roles/nova/templates/nova.conf.j2
index 16ef6db36e..d37200a559 100644
--- a/ansible/roles/nova/templates/nova.conf.j2
+++ b/ansible/roles/nova/templates/nova.conf.j2
@@ -8,15 +8,6 @@ log_file = /var/log/kolla/nova/nova-super-conductor.log
 {% endif %}
 
 state_path = /var/lib/nova
-
-osapi_compute_listen = {{ api_interface_address }}
-osapi_compute_listen_port = {{ nova_api_listen_port }}
-osapi_compute_workers = {{ openstack_service_workers }}
-metadata_workers = {{ openstack_service_workers }}
-
-metadata_listen = {{ api_interface_address }}
-metadata_listen_port = {{ nova_metadata_listen_port }}
-
 allow_resize_to_same_host = true
 
 # Though my_ip is not used directly, lots of other variables use $my_ip