diff --git a/environments/services-docker/octavia.yaml b/environments/services-docker/octavia.yaml
index f0c671f6c8..3af17478b8 100644
--- a/environments/services-docker/octavia.yaml
+++ b/environments/services-docker/octavia.yaml
@@ -7,4 +7,7 @@ resource_registry:
 parameter_defaults:
     NeutronServicePlugins: "qos,router,trunk,lbaasv2"
     NeutronEnableForceMetadata: true
-
+    OctaviaCaCertFile: '/etc/octavia/certs/ca_01.pem'
+    OctaviaCaKeyFile: '/etc/octavia/certs/private/cakey.pem'
+    OctaviaCaKeyPassphrase: 'foobar'
+    OctaviaClientCertFile: '/etc/octavia/certs/client.pem'
diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml
index 7c0c67f29b..caa9a45e78 100644
--- a/puppet/services/octavia-base.yaml
+++ b/puppet/services/octavia-base.yaml
@@ -74,6 +74,18 @@ parameters:
     description: The password for the Octavia's database account.
     type: string
     hidden: true
+  OctaviaCaCertFile:
+    type: string
+    default: '/etc/octavia/certs/ca_01.pem'
+    description: Octavia CA certificate file path.
+  OctaviaCaKeyFile:
+    type: string
+    default: '/etc/octavia/certs/private/cakey.pem'
+    description: Octavia CA private key file path.
+  OctaviaCaKeyPassphrase:
+    description: CA private key passphrase.
+    type: string
+    hidden: true
 
 conditions:
   service_debug_unset: {equals : [{get_param: OctaviaDebug}, '']}
@@ -102,3 +114,6 @@ outputs:
          octavia::service_auth::project_name: 'service'
          octavia::service_auth::project_domain_name: 'Default'
          octavia::service_auth::user_domain_name: 'Default'
+         octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
+         octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
+         octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
diff --git a/puppet/services/octavia-worker.yaml b/puppet/services/octavia-worker.yaml
index 3449ed704a..13289df573 100644
--- a/puppet/services/octavia-worker.yaml
+++ b/puppet/services/octavia-worker.yaml
@@ -39,7 +39,7 @@ parameters:
       tag: openstack.octavia.worker
       path: /var/log/octavia/worker.log
   OctaviaAmphoraImageTag:
-    default: ''
+    default: 'amphora-image'
     description: Glance image tag for identifying the amphora image.
     type: string
   OctaviaAmphoraNetworkList:
@@ -63,15 +63,13 @@ parameters:
     default: false
     description: Configure the nova flavor for the amphora.
     type: boolean
-  OctaviaSSHKeyName:
-    default: 'octavia-ssh-key'
-    description: name for ssh key to be configured so the amphora can
-                 be logged into.
+  OctaviaClientCertFile:
+    default: '/etc/octavia/certs/client.pem'
+    description: client certificate for amphoras
     type: string
 
 conditions:
   octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]}
-  octavia_amphora_tag_unset: {equals: [{get_param: OctaviaAmphoraImageTag}, ""]}
 
 resources:
 
@@ -101,12 +99,8 @@ outputs:
             octavia::worker::amp_flavor_id: {get_param: OctaviaFlavorId}
             octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties}
             octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor}
-            octavia::worker::ssh_key_name: {get_param: OctaviaSSHKeyName}
-          -
-            if:
-            - octavia_amphora_tag_unset
-            - {}
-            - octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag}
+            octavia::certificates::client_cert: {get_param: OctaviaClientCertFile}
+            octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag}
           -
             if:
             - octavia_topology_unset