diff --git a/tasks/galera_setup.yml b/tasks/galera_setup.yml
index a9535e95..44020e54 100644
--- a/tasks/galera_setup.yml
+++ b/tasks/galera_setup.yml
@@ -18,6 +18,9 @@
     login_user: "{{ galera_root_user }}"
     login_password: "{{ galera_root_password }}"
     login_host: "127.0.0.1"
+    ssl_ca: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_ca_cert, omit) }}"
+    ssl_cert: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_cert, omit) }}"
+    ssl_key: "{{ (galera_use_ssl | bool) | ternary(galera_ssl_key, omit) }}"
     name: "{{ item.name }}"
     host: "{{ item.host }}"
     password: "{{ item.password }}"
diff --git a/tasks/galera_ssl_self_signed.yml b/tasks/galera_ssl_self_signed.yml
index 569e3ce8..d3586e6c 100644
--- a/tasks/galera_ssl_self_signed.yml
+++ b/tasks/galera_ssl_self_signed.yml
@@ -59,10 +59,21 @@
     -out {{ galera_ssl_ca_cert | dirname }}/galera-req.pem
     -extensions v3_ca
     creates={{ galera_ssl_ca_cert | dirname }}/galera-req.pem
+  register: create_galera_ssl_request
   when:
     - inventory_hostname == galera_server_bootstrap_node
   notify: Restart all mysql
 
+- name: Convert generated SSL key to valid format for Galera
+  command: >
+    openssl rsa
+    -in {{ galera_ssl_key }}
+    -out {{ galera_ssl_key }}
+  when:
+    - create_galera_ssl_request | changed
+    - inventory_hostname == galera_server_bootstrap_node
+  notify: Restart all mysql
+
 - name: Get REQ key contents and store as var
   slurp:
     src: "{{ galera_ssl_ca_cert | dirname }}/galera-req.pem"
diff --git a/templates/debian.cnf.j2 b/templates/debian.cnf.j2
index 4bbfaeae..6db5aa66 100644
--- a/templates/debian.cnf.j2
+++ b/templates/debian.cnf.j2
@@ -5,6 +5,11 @@ host     = localhost
 user     = root
 password = {{ galera_root_password }}
 socket   = /var/run/mysqld/mysqld.sock
+{% if galera_use_ssl | bool %}
+ssl-ca   = {{ galera_ssl_ca_cert }}
+ssl-cert = {{ galera_ssl_cert }}
+ssl-key  = {{ galera_ssl_key }}
+{% endif %}
 
 [mysql_upgrade]
 host     = localhost
diff --git a/templates/my.cnf.j2 b/templates/my.cnf.j2
index c5595928..91d33f3f 100644
--- a/templates/my.cnf.j2
+++ b/templates/my.cnf.j2
@@ -34,10 +34,10 @@ bind-address = ::
 server-id = {{ galera_server_id }}
 {% endif %}
 {% if galera_use_ssl | bool %}
+ssl
 ssl-ca = {{ galera_ssl_ca_cert }}
 ssl-cert = {{ galera_ssl_cert }}
 ssl-key = {{ galera_ssl_key }}
-ssl-cipher = TLSv1.2
 {% endif %}
 
 # LOGGING #
diff --git a/tox.ini b/tox.ini
index 0c4b8e11..97a5ca21 100644
--- a/tox.ini
+++ b/tox.ini
@@ -116,7 +116,7 @@ deps =
     {[testenv:ansible]deps}
 setenv =
     {[testenv]setenv}
-    ANSIBLE_PARAMETERS=-vvv -e galera_use_ssl=True
+    ANSIBLE_PARAMETERS=-e galera_use_ssl=True
 commands =
     bash -c "{toxinidir}/tests/common/test-ansible-functional.sh"
 
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 692e7753..d1e5e2eb 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -14,8 +14,25 @@
 # limitations under the License.
 
 - job:
-    name: openstack-ansible-ssl-ubuntu-xenial-nv
-    parent: openstack-ansible-functional-ubuntu-xenial
-    voting: false
+    name: openstack-ansible-functional-centos-7-ssl
+    parent: openstack-ansible-functional-centos-7
+    vars:
+      tox_env: ssl
+
+- job:
+    name: openstack-ansible-functional-opensuse-423-ssl
+    parent: openstack-ansible-functional-opensuse-423
+    vars:
+      tox_env: ssl
+
+- job:
+    name: openstack-ansible-functional-ubuntu-bionic-ssl
+    parent: openstack-ansible-functional-ubuntu-bionic
+    vars:
+      tox_env: ssl
+
+- job:
+    name: openstack-ansible-functional-ubuntu-xenial-ssl
+    parent: openstack-ansible-functional-ubuntu-xenial
     vars:
       tox_env: ssl
diff --git a/zuul.d/project.yaml b/zuul.d/project.yaml
index 42b31768..a52a46b2 100644
--- a/zuul.d/project.yaml
+++ b/zuul.d/project.yaml
@@ -17,9 +17,13 @@
       jobs:
         - openstack-ansible-linters
         - openstack-ansible-functional-centos-7
+        - openstack-ansible-functional-centos-7-ssl
         - openstack-ansible-functional-opensuse-423
+        - openstack-ansible-functional-opensuse-423-ssl
         - openstack-ansible-functional-ubuntu-xenial
+        - openstack-ansible-functional-ubuntu-xenial-ssl
         - openstack-ansible-functional-ubuntu-bionic
+        - openstack-ansible-functional-ubuntu-bionic-ssl
         - openstack-ansible-upgrade-centos-7
         - openstack-ansible-upgrade-opensuse-423
         - openstack-ansible-upgrade-ubuntu-xenial
@@ -27,7 +31,6 @@
         #               did not support Bionic in the Q cycle.
         - openstack-ansible-upgrade-ubuntu-bionic:
             voting: false
-        - openstack-ansible-ssl-ubuntu-xenial-nv
     experimental:
       jobs:
         - openstack-ansible-integrated-deploy-aio
@@ -35,9 +38,13 @@
       jobs:
         - openstack-ansible-linters
         - openstack-ansible-functional-centos-7
+        - openstack-ansible-functional-centos-7-ssl
         - openstack-ansible-functional-opensuse-423
+        - openstack-ansible-functional-opensuse-423-ssl
         - openstack-ansible-functional-ubuntu-xenial
+        - openstack-ansible-functional-ubuntu-xenial-ssl
         - openstack-ansible-functional-ubuntu-bionic
+        - openstack-ansible-functional-ubuntu-bionic-ssl
         - openstack-ansible-upgrade-centos-7
         - openstack-ansible-upgrade-opensuse-423
         - openstack-ansible-upgrade-ubuntu-xenial