diff --git a/defaults/main.yml b/defaults/main.yml
index 959cc818..c4e88ce7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -267,6 +267,9 @@ nova_nested_virt_enabled: False
 nova_wsgi_processes_max: 16
 nova_wsgi_processes: "{{ [[ansible_facts['processor_vcpus']|default(1), 1] | max * 2, nova_wsgi_processes_max] | min }}"
 nova_wsgi_threads: 1
+nova_uwsgi_tls:
+  crt: "{{ nova_ssl_cert }}"
+  key: "{{ nova_ssl_key }}"
 
 ## Nova libvirt
 # Warning: If nova_libvirt_inject_key or nova_libvirt_inject_password are enabled for Ubuntu compute hosts
@@ -441,6 +444,7 @@ nova_services:
     uwsgi_overrides: "{{ nova_api_metadata_uwsgi_ini_overrides }}"
     uwsgi_bind_address: "{{ nova_metadata_bind_address }}"
     uwsgi_port: "{{ nova_metadata_port }}"
+    uwsgi_tls: "{{ nova_backend_ssl | ternary(nova_uwsgi_tls, {}) }}"
     wsgi_name: nova-metadata-wsgi
   nova-api-os-compute:
     group: nova_api_os_compute
@@ -451,6 +455,7 @@ nova_services:
     uwsgi_overrides: "{{ nova_api_os_compute_uwsgi_ini_overrides }}"
     uwsgi_bind_address: "{{ nova_service_bind_address }}"
     uwsgi_port: "{{ nova_service_port }}"
+    uwsgi_tls: "{{ nova_backend_ssl | ternary(nova_uwsgi_tls, {}) }}"
     wsgi_name: nova-api-wsgi
   nova-compute:
     group: nova_compute
@@ -476,7 +481,7 @@ nova_services:
     init_config_overrides: "{{ nova_novncproxy_init_overrides }}"
     condition: "{{ nova_console_type == 'novnc' }}"
     start_order: 5
-    execstarts: "{{ nova_bin }}/nova-novncproxy"
+    execstarts: "{{ nova_bin }}/nova-novncproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
   nova-scheduler:
     group: nova_scheduler
     service_name: nova-scheduler
@@ -490,21 +495,21 @@ nova_services:
     init_config_overrides: "{{ {'Install': {'Alias': 'nova-spiceproxy.service'}} | combine(nova_spicehtml5proxy_init_overrides, recursive=True) }}"
     condition: "{{ nova_console_type == 'spice' }}"
     start_order: 5
-    execstarts: "{{ nova_bin }}/nova-spicehtml5proxy"
+    execstarts: "{{ nova_bin }}/nova-spicehtml5proxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
   nova-serialconsole-proxy:
     group: nova_console
     service_name: nova-serialproxy
     init_config_overrides: "{{ nova_serialproxy_init_overrides }}"
     condition: "{{ nova_console_type == 'serialconsole' }}"
     start_order: 5
-    execstarts: "{{ nova_bin }}/nova-serialproxy"
+    execstarts: "{{ nova_bin }}/nova-serialproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
   nova_ironic_sericalconsole-proxy:
     group: ironic_console
     service_name: nova-serialproxy
     init_config_overrides: "{{ nova_serialproxy_init_overrides }}"
     condition: "{{ nova_ironic_console_type == 'serialconsole' }}"
     start_order: 5
-    execstarts: "{{ nova_bin }}/nova-serialproxy"
+    execstarts: "{{ nova_bin }}/nova-serialproxy {{ nova_backend_ssl | ternary('--ssl_only --cert ' ~ nova_ssl_cert ~ ' --key ' ~ nova_ssl_key, '') }}"
 
 nova_novnc_pip_packages:
   - websockify
@@ -583,6 +588,7 @@ nova_pki_certs_path: "{{ nova_pki_dir ~ '/certs/certs/' }}"
 nova_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
 nova_pki_intermediate_chain_path: "{{ nova_pki_dir ~ '/roots/' ~ nova_pki_intermediate_cert_name ~ '/certs/' ~ nova_pki_intermediate_cert_name ~ '-chain.crt' }}"
 nova_pki_regen_cert: ''
+nova_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
 # Create client and server cert for compute hosts
 # This certiticate is used to secure TLS live migrations and VNC sessions
 nova_pki_compute_certificates:
@@ -690,6 +696,7 @@ nova_pki_console_certificates:
       - keyEncipherment
     extended_key_usage:
       - clientAuth
+    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
 
 # Installation details for SSL certificates for console hosts
 nova_pki_console_install_certificates:
@@ -698,16 +705,19 @@ nova_pki_console_install_certificates:
     owner: "root"
     group: "{{ nova_system_group_name }}"
     mode: "0640"
+    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
   - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-client.key.pem') }}"
     dest: "{{ nova_vencrypt_client_key }}"
     owner: "root"
     group: "{{ nova_system_group_name }}"
     mode: "0640"
+    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
   - src: "{{ nova_user_ssl_ca_cert | default(nova_pki_intermediate_chain_path) }}"
     dest: "{{ nova_vencrypt_ca_certs }}"
     owner: "root"
     group: "{{ nova_system_group_name }}"
     mode: "0640"
+    condition: "{{ nova_qemu_vnc_tls == 1 and nova_console_type == 'novnc' }}"
 
 # host which holds the ssh certificate authority
 nova_ssh_keypairs_setup_host: "{{ openstack_ssh_keypairs_setup_host  | default('localhost') }}"
@@ -739,3 +749,39 @@ nova_ssh_keypairs_install_ca: "{{ openstack_ssh_keypairs_authorities }}"
 nova_ssh_keypairs_principals:
   - user: "{{ nova_system_user_name }}"
     principals: "{{ nova_ssh_key_principals | default(['nova']) }}"
+
+###
+### Backend TLS
+###
+
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+nova_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+
+nova_pki_certificates:
+   # Used to encrypt traffic between haproxy and nova backends
+  - name: "nova_{{ ansible_facts['hostname'] }}"
+    provider: ownca
+    cn: "{{ ansible_facts['hostname'] }}"
+    san: "{{ nova_pki_san }}"
+    signed_by: "{{ nova_pki_intermediate_cert_name }}"
+    condition: "{{ nova_backend_ssl }}"
+
+# nova destination files for SSL certificates
+nova_ssl_cert: /etc/nova/nova.pem
+nova_ssl_key: /etc/nova/nova.key
+
+# Installation details for SSL certificates
+nova_pki_install_certificates:
+  - src: "{{ nova_user_ssl_cert | default(nova_pki_certs_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
+    dest: "{{ nova_ssl_cert }}"
+    owner: "{{ nova_system_user_name }}"
+    group: "{{ nova_system_user_name }}"
+    mode: "0644"
+    condition: "{{ nova_backend_ssl }}"
+  - src: "{{ nova_user_ssl_key | default(nova_pki_keys_path ~ 'nova_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
+    dest: "{{ nova_ssl_key }}"
+    owner: "{{ nova_system_user_name }}"
+    group: "{{ nova_system_user_name }}"
+    mode: "0600"
+    condition: "{{ nova_backend_ssl }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 454b1ea2..d6de9775 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -130,11 +130,35 @@
   tags:
     - nova-config
 
-# Create certs after libvirt groups have been created but before handlers
+# Create certs after nova groups have been created but before handlers
+- name: Create and install SSL certificates for API
+  include_role:
+    name: pki
+    tasks_from: main_certs.yml
+    apply:
+      tags:
+        - nova-config
+        - pki
+  vars:
+    pki_setup_host: "{{ nova_pki_setup_host }}"
+    pki_dir: "{{ nova_pki_dir }}"
+    pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
+    pki_regen_cert: "{{ nova_pki_regen_cert }}"
+    pki_certificates: "{{ nova_pki_certificates }}"
+    pki_install_certificates: "{{ nova_pki_install_certificates }}"
+  when:
+    - "'nova_api_metadata' in group_names or 'nova_api_os_compute' in group_names"
+  tags:
+    - always
+
 - name: Create and install SSL certificates for compute hosts
   include_role:
     name: pki
     tasks_from: main_certs.yml
+    apply:
+      tags:
+        - nova-config
+        - pki
   vars:
     pki_setup_host: "{{ nova_pki_setup_host }}"
     pki_dir: "{{ nova_pki_dir }}"
@@ -146,23 +170,28 @@
     - nova_libvirtd_listen_tls == 1
     - "'nova_compute' in group_names"
     - nova_virt_type != 'ironic'
+  tags:
+    - always
 
-# Create certs after nova groups have been created but before handlers
 - name: Create and install SSL certificates for console hosts
   include_role:
     name: pki
     tasks_from: main_certs.yml
+    apply:
+      tags:
+        - nova-config
+        - pki
   vars:
     pki_setup_host: "{{ nova_pki_setup_host }}"
     pki_dir: "{{ nova_pki_dir }}"
     pki_create_certificates: "{{ nova_user_ssl_cert is not defined and nova_user_ssl_key is not defined }}"
     pki_regen_cert: "{{ nova_pki_regen_cert }}"
-    pki_certificates: "{{ nova_pki_console_certificates }}"
-    pki_install_certificates: "{{ nova_pki_console_install_certificates }}"
+    pki_certificates: "{{ nova_pki_certificates + nova_pki_console_certificates }}"
+    pki_install_certificates: "{{ nova_pki_install_certificates + nova_pki_console_install_certificates }}"
   when:
-    - nova_qemu_vnc_tls == 1
-    - nova_console_type == 'novnc'
     - "'nova_console' in group_names"
+  tags:
+    - always
 
 - import_tasks: nova_post_install.yml
   tags: