diff --git a/elements/openstack-ssl/README.md b/elements/openstack-ssl/README.md
index 46ebd4bc0..a73b5a7ef 100644
--- a/elements/openstack-ssl/README.md
+++ b/elements/openstack-ssl/README.md
@@ -28,6 +28,7 @@ stunnel:
    - name: 'cinder'
      accept: 13776
      connect: 8776
+     connect_host: localhost
 
 The certificate and key data will be written to /etc/ssl/from-heat.{crt,key}.
 
@@ -37,3 +38,5 @@ from this implementation.
 
 Note that the public API endpoints in keystone need to be registered with https
 urls, which is outside the scope of the local machine configuration process.
+
+See the stunnel man page for documentation on crt and key formats etc.
diff --git a/elements/openstack-ssl/os-apply-config/etc/stunnel/from-heat.conf b/elements/openstack-ssl/os-apply-config/etc/stunnel/from-heat.conf
index 554baf92e..99f4b622c 100644
--- a/elements/openstack-ssl/os-apply-config/etc/stunnel/from-heat.conf
+++ b/elements/openstack-ssl/os-apply-config/etc/stunnel/from-heat.conf
@@ -6,5 +6,5 @@ options = NO_SSLv2
 {{#stunnel.ports}}
 [{{name}}]
 accept = {{accept}}
-connect = {{connect}}
+connect = {{#connect_host}}{{.}}:{{/connect_host}}{{connect}}
 {{/stunnel.ports}}