diff --git a/manifests/init.pp b/manifests/init.pp
index e42a30ba..8b4d280c 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -190,6 +190,10 @@
 #    properly configured DNS which will resolve hostnames for SSL endpoints
 #    Horizon will connect to. (Defaults to false)
 #
+#  [*openstack_ssl_cacert*]
+#    (optional) The CA certificate to use to verify SSL
+#    openstack connection.
+#
 #  [*ssl_redirect*]
 #    (optional) Whether to redirect http to https
 #    Defaults to True
@@ -464,6 +468,7 @@ class horizon(
   $http_port                           = 80,
   $https_port                          = 443,
   $ssl_no_verify                       = false,
+  $openstack_ssl_cacert                = '',
   $ssl_redirect                        = true,
   $horizon_cert                        = undef,
   $horizon_key                         = undef,
diff --git a/templates/local_settings.py.erb b/templates/local_settings.py.erb
index 7f9c2c26..a802fd8a 100644
--- a/templates/local_settings.py.erb
+++ b/templates/local_settings.py.erb
@@ -337,7 +337,11 @@ OPENSTACK_SSL_NO_VERIFY = True
 <% end -%>
 
 # The CA certificate to use to verify SSL connections
+<% if @openstack_ssl_cacert == '' -%>
 #OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
+<% else -%>
+OPENSTACK_SSL_CACERT = '<%= @openstack_ssl_cacert %>'
+<% end -%>
 
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.