diff --git a/config.yaml b/config.yaml
index b4201ae..3204d0a 100644
--- a/config.yaml
+++ b/config.yaml
@@ -19,8 +19,27 @@ options:
       Openstack mostly defaults to using public endpoints for
       internal communication between services. If set to True this option
       will configure services to use internal endpoints where possible.
+  ssl_cert:
+    type: string
+    default:
+    description: |
+      TLS certificate to install and use for any listening services.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
+  ssl_key:
+    type: string
+    default:
+    description: |
+      TLS key to use with certificate specified as ``ssl_cert``.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
   ssl_ca:
     type: string
     default:
     description: |
-      SSL CA to use to communicate with other OpenStack cloud components.
+      TLS CA to use to communicate with other components in a deployment.
+      .
+      __NOTE__: This configuration option will take precedence over any
+                certificates received over the ``certificates`` relation.
diff --git a/layer.yaml b/layer.yaml
index e88eccb..f1a1722 100644
--- a/layer.yaml
+++ b/layer.yaml
@@ -1,2 +1,2 @@
-includes: ['layer:basic']
+includes: ['layer:basic', 'interface:tls-certificates']
 repo: 'https://github.com/openstack/charm-layer-openstack'
diff --git a/metadata.yaml b/metadata.yaml
index d478242..7e5ea87 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -6,3 +6,6 @@ description: |
 tags:
   - openstack
 series: []
+requires:
+  certificates:
+    interface: tls-certificates
diff --git a/reactive/layer_openstack.py b/reactive/layer_openstack.py
index 21f0220..627c900 100644
--- a/reactive/layer_openstack.py
+++ b/reactive/layer_openstack.py
@@ -1,8 +1,9 @@
+import charms.reactive as reactive
+
 import charmhelpers.core.unitdata as unitdata
 
 import charms_openstack.charm as charm
 import charms_openstack.charm.defaults as defaults
-import charms.reactive as reactive
 
 
 @reactive.when_not('charm.installed')
@@ -89,3 +90,36 @@ def default_post_series_upgrade():
     """
     with charm.provide_charm_instance() as instance:
         instance.series_upgrade_complete()
+
+
+@reactive.when('certificates.available',
+               'charms.openstack.do-default-certificates.available')
+def default_request_certificates():
+    """When the certificates interface is available, this default handler
+    requests TLS certificates.
+    """
+    tls = reactive.endpoint_from_flag('certificates.available')
+    with charm.provide_charm_instance() as instance:
+        for cn, req in instance.get_certificate_requests().items():
+            tls.add_request_server_cert(cn, req['sans'])
+        tls.request_server_certs()
+        instance.assess_status()
+
+
+@reactive.when('charms.openstack.do-default-certificates.available')
+@reactive.when_any(
+    'certificates.ca.changed',
+    'certificates.certs.changed')
+def default_configure_certificates():
+    """When the certificates interface is available, this default handler
+    updates on-disk certificates and switches on the TLS support.
+    """
+    tls = reactive.endpoint_from_flag('certificates.available')
+    with charm.provide_charm_instance() as instance:
+        instance.configure_tls(tls)
+        # make charms.openstack required relation check happy
+        reactive.set_flag('certificates.connected')
+        for flag in 'certificates.ca.changed', 'certificates.certs.changed':
+            if reactive.is_flag_set(flag):
+                reactive.clear_flag(flag)
+        instance.assess_status()