diff --git a/layer.yaml b/layer.yaml
index 1e4209d..29a73d5 100644
--- a/layer.yaml
+++ b/layer.yaml
@@ -1,4 +1,5 @@
 includes: ['layer:openstack-principle', 'interface:mysql-shared',
            'interface:rabbitmq', 'interface:keystone',
-           'interface:hacluster', 'interface:openstack-ha']
+           'interface:hacluster', 'interface:openstack-ha',
+           'interface:tls-certificates', 'layer:tls-client']
 repo: 'https://github.com/openstack/charm-layer-openstack-api'
diff --git a/reactive/layer_openstack_api.py b/reactive/layer_openstack_api.py
index 8111bb9..13d1247 100644
--- a/reactive/layer_openstack_api.py
+++ b/reactive/layer_openstack_api.py
@@ -62,3 +62,25 @@ def default_setup_endpoint_available(keystone):
     with charm.provide_charm_instance() as instance:
         instance.configure_ssl(keystone)
         instance.assess_status()
+
+
+@reactive.when('certificates.available')
+def default_setup_certificates(tls):
+    """When the identity-service interface is available, this default
+    handler switches on the SSL support.
+    """
+    with charm.provide_charm_instance() as instance:
+        for cn, req in instance.get_certificate_requests().items():
+            tls.add_request_server_cert(cn, req['sans'])
+        tls.request_server_certs()
+        instance.assess_status()
+
+
+@reactive.when('certificates.batch.cert.available')
+def default_setup_endpoint_available(tls):
+    """When the identity-service interface is available, this default
+    handler switches on the SSL support.
+    """
+    with charm.provide_charm_instance() as instance:
+        instance.configure_ssl(tls)
+        instance.assess_status()