diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3923ceb..9108a3d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ This file is used to list changes made in each version of cookbook-openstack-orc
 * Add attributes for stack role and domain users
 * Bump Chef gem to 11.16
 * Create role and domain setup for heat template defined users
+* Add cert_file, key_file, ca_file and insecure for clients so that they are configurable.
 
 ## 9.2.0
 * python_packages database client attributes have been migrated to
diff --git a/README.md b/README.md
index e59d468..3135075 100644
--- a/README.md
+++ b/README.md
@@ -83,6 +83,13 @@ Attributes for the Heat service are in the ['openstack']['orchestration'] namesp
 * `openstack['orchestration']['api']['auth']['cafile']` - A PEM encoded Certificate Authority to use when verifying HTTPs connections.
 * `openstack['orchestration']['api']['auth']['insecure']` - Whether to allow the client to perform insecure SSL (https) requests.
 
+Clients configurations
+----------------------
+* `openstack['orchestration']['clients']['ca_file']` - A PEM encoded Certificate Authority to use for clients when verifying HTTPs connections.
+* `openstack['orchestration']['clients']['cert_file']` - Cert file to use for clients when verifying HTTPs connections.
+* `openstack['orchestration']['clients']['key_file']` - Private key file to use for clients when verifying HTTPs connections.
+* `openstack['orchestration']['clients']['insecure']` - Whether to allow insecure SSL (https) requests when calling clients.
+
 Notification definitions
 ------------------------
 * `openstack['orchestration']['notification_driver']` - driver
diff --git a/attributes/default.rb b/attributes/default.rb
index 688a4d8..4a023d8 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -42,6 +42,15 @@ default['openstack']['orchestration']['service_role'] = 'admin'
 
 default['openstack']['orchestration']['api']['auth']['version'] = node['openstack']['api']['auth']['version']
 
+# A PEM encoded Certificate Authority to use for clients when verifying HTTPs connections.
+default['openstack']['orchestration']['clients']['ca_file'] = nil
+# Cert file to use for clients when verifying HTTPs connections.
+default['openstack']['orchestration']['clients']['cert_file'] = nil
+# Private key file to use for clients when verifying HTTPs connections.
+default['openstack']['orchestration']['clients']['key_file'] = nil
+# Whether to allow insecure SSL (https) requests when calling clients.
+default['openstack']['orchestration']['clients']['insecure'] = false
+
 # A list of memcached server(s) for caching
 default['openstack']['orchestration']['api']['auth']['memcached_servers'] = nil
 
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 320f4fd..aeabad5 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -192,6 +192,29 @@ shared_examples 'expects to create heat conf' do
       expect(chef_run).to render_file(file.name).with_content(/^insecure=false$/)
     end
 
+    describe 'default values for certificates files' do
+      it 'has no such values' do
+        [
+          /^ca_file=/,
+          /^cert_file=/,
+          /^key_file=/
+        ].each do |line|
+          expect(chef_run).not_to render_file(file.name).with_content(line)
+        end
+      end
+
+      it 'sets clients ca_file cert_file key_file insecure' do
+        node.set['openstack']['orchestration']['clients']['ca_file'] = 'dir/to/path'
+        node.set['openstack']['orchestration']['clients']['cert_file'] = 'dir/to/path'
+        node.set['openstack']['orchestration']['clients']['key_file'] = 'dir/to/path'
+        node.set['openstack']['orchestration']['clients']['insecure'] = true
+        expect(chef_run).to render_file(file.name).with_content(%r{^ca_file=dir/to/path$})
+        expect(chef_run).to render_file(file.name).with_content(%r{^cert_file=dir/to/path$})
+        expect(chef_run).to render_file(file.name).with_content(%r{^key_file=dir/to/path$})
+        expect(chef_run).to render_file(file.name).with_content(/^insecure=true$/)
+      end
+    end
+
     describe 'default values' do
       it 'has default conf values' do
         [
diff --git a/templates/default/heat.conf.erb b/templates/default/heat.conf.erb
index ca0a8ce..33bd6a2 100644
--- a/templates/default/heat.conf.erb
+++ b/templates/default/heat.conf.erb
@@ -603,19 +603,32 @@ log_config = /etc/openstack/logging.conf
 
 # Optional CA cert file to use in SSL connections. (string
 # value)
+<% if node['openstack']['orchestration']['clients']['ca_file'] -%>
+ca_file=<%= node['openstack']['orchestration']['clients']['ca_file'] %>
+<% else -%>
 #ca_file=<None>
+<% end -%>
 
 # Optional PEM-formatted certificate chain file. (string
 # value)
+<% if node['openstack']['orchestration']['clients']['cert_file'] -%>
+cert_file=<%= node['openstack']['orchestration']['clients']['cert_file'] %>
+<% else -%>
 #cert_file=<None>
+<% end -%>
 
 # Optional PEM-formatted file that contains the private key.
 # (string value)
+<% if node['openstack']['orchestration']['clients']['key_file'] -%>
+key_file=<%= node['openstack']['orchestration']['clients']['key_file'] %>
+<% else -%>
 #key_file=<None>
+<% end -%>
 
 # If set, then the server's certificate will not be verified.
 # (boolean value)
 #insecure=false
+insecure=<%= node['openstack']['orchestration']['clients']['insecure'] %>
 
 
 [clients_ceilometer]