diff --git a/defaults/main.yml b/defaults/main.yml
index 6bc8b578..607c6356 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -228,8 +228,9 @@ keystone_default_uwsgi_overrides:
   uwsgi:
     socket: "127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
 
-# set keystone_ssl to true to enable SSL configuration on the keystone containers
-keystone_ssl: "{{ openstack_backend_service_https | default(False) }}"
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+keystone_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
 
 # The local address used for the keystone node
 keystone_node_address: "{{ management_address | default('127.0.0.1') }}"
@@ -274,7 +275,7 @@ keystone_pki_certificates:
     cn: "{{ ansible_facts['hostname'] }}"
     san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}"
     signed_by: "{{ keystone_pki_intermediate_cert_name }}"
-    condition: "{{ keystone_ssl }}"
+    condition: "{{ keystone_backend_ssl }}"
 
 # Set to the value of keystone_idp_authority_name to regenerate the IDP CA
 keystone_pki_regen_ca: ''
@@ -292,13 +293,13 @@ keystone_pki_install_certificates:
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
     mode: "0644"
-    condition: "{{ keystone_ssl }}"
+    condition: "{{ keystone_backend_ssl }}"
   - src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
     dest: "{{ keystone_ssl_key }}"
     owner: "{{ keystone_system_user_name }}"
     group: "{{ keystone_system_group_name }}"
     mode: "0600"
-    condition: "{{ keystone_ssl }}"
+    condition: "{{ keystone_backend_ssl }}"
   - src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}"
     dest: "{{ keystone_ssl_ca_cert }}"
     owner: "{{ keystone_system_user_name }}"
diff --git a/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml b/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml
new file mode 100644
index 00000000..af3167eb
--- /dev/null
+++ b/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml
@@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    Variable ``keystone_ssl`` was deprecated in favor of
+    ``keystone_backend_ssl``.
diff --git a/tasks/main.yml b/tasks/main.yml
index 7416f60b..a3307cd6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -168,7 +168,7 @@
     pki_certificates: "{{ keystone_pki_certificates }}"
     pki_install_certificates: "{{ keystone_pki_install_certificates }}"
   when:
-    - (keystone_ssl | bool) or (keystone_idp['certfile'] is defined)
+    - (keystone_backend_ssl | bool) or (keystone_idp['certfile'] is defined)
   tags:
     - keystone-config
 
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index c2ca86e7..ffdbeae5 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -26,7 +26,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
     {% endif %}
 
-    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
+    {% if keystone_backend_ssl | bool and keystone_service_internaluri_proto == "https" -%}
     SSLEngine on
     SSLCertificateFile    {{ keystone_ssl_cert }}
     SSLCertificateKeyFile {{ keystone_ssl_key }}
diff --git a/templates/shibboleth2.xml.j2 b/templates/shibboleth2.xml.j2
index 27d2d847..ac604ab6 100644
--- a/templates/shibboleth2.xml.j2
+++ b/templates/shibboleth2.xml.j2
@@ -36,7 +36,7 @@
                   timeout="3600"
                   relayState="ss:mc"
                   checkAddress="false"
-                  handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}"
+                  handlerSSL="{% if keystone_backend_ssl | bool %}true{% else %}false{% endif %}"
                   {% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>
 
             <!-- Triggers a login request directly to the IdP. -->
diff --git a/vars/debian.yml b/vars/debian.yml
index 3408cd7e..443498e0 100644
--- a/vars/debian.yml
+++ b/vars/debian.yml
@@ -82,7 +82,7 @@ keystone_apache_configs:
 
 keystone_apache_modules:
   - name: "ssl"
-    state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
+    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
   - name: "shib"
     state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
   - name: "auth_openidc"
diff --git a/vars/ubuntu-18.04.yml b/vars/ubuntu-18.04.yml
index 81f5adc4..5ce9e407 100644
--- a/vars/ubuntu-18.04.yml
+++ b/vars/ubuntu-18.04.yml
@@ -82,7 +82,7 @@ keystone_apache_configs:
 
 keystone_apache_modules:
   - name: "ssl"
-    state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
+    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
   - name: "shib2"
     state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
   - name: "auth_openidc"