diff --git a/service/designate-api.yaml b/service/designate-api.yaml
index 5796e34..e06e2aa 100644
--- a/service/designate-api.yaml
+++ b/service/designate-api.yaml
@@ -62,6 +62,17 @@ service:
           - designate-conf
           - api-paste
         command: designate-api --config-file /etc/designate/designate.conf
+    # {% if designate.tls.enabled %}
+    - name: nginx-designate-api
+      image: nginx
+      daemon:
+        files:
+          - upstreams
+          - servers
+          - server-cert
+          - server-key
+        command: nginx
+    # {% endif %}
 
 files:
   designate-conf:
@@ -70,3 +81,21 @@ files:
   api-paste:
     path: /etc/designate/api-paste.ini
     content: api-paste.ini.j2
+  # {% if designate.tls.enabled %}
+  servers:
+    path: /etc/nginx/conf.d/servers.conf
+    content: nginx-api.conf.j2
+    perm: "0400"
+  upstreams:
+    path: /etc/nginx/conf.d/upstreams.conf
+    content: upstreams.conf.j2
+    perm: "0400"
+  server-cert:
+    path: /opt/ccp/etc/tls/server-cert.pem
+    content: server-cert.pem.j2
+    perm: "0400"
+  server-key:
+    path: /opt/ccp/etc/tls/server-key.pem
+    content: server-key.pem.j2
+    perm: "0400"
+  # {% endif %}
diff --git a/service/files/defaults.yaml b/service/files/defaults.yaml
index faa8f9f..34fbc1d 100644
--- a/service/files/defaults.yaml
+++ b/service/files/defaults.yaml
@@ -1,5 +1,7 @@
 configs:
   designate:
+    tls:
+      enabled: true
     api_port:
       cont: 9001
       ingress: dns
diff --git a/service/files/designate.conf.j2 b/service/files/designate.conf.j2
index c9e364c..5828137 100644
--- a/service/files/designate.conf.j2
+++ b/service/files/designate.conf.j2
@@ -47,8 +47,13 @@ threads = {{ designate.service.central.threads }}
 [service:api]
 workers = {{ designate.service.api.workers }}
 threads = {{ designate.service.api.threads }}
+{% if designate.tls.enabled %}
+api_base_uri = {{ address('designate-api', designate.api_port, with_scheme=True) }}
+api_host = 127.0.0.1
+{% else %}
 api_base_uri = http://{{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}/
 api_host = {{ network_topology["private"]["address"] }}
+{% endif %}
 api_port = {{ designate.api_port.cont }}
 auth_strategy = keystone
 enable_api_v1 = True
@@ -56,7 +61,12 @@ enabled_extensions_v1 = diagnostics, quotas, reports, sync, touch
 enable_api_v2 = True
 enabled_extensions_v2 = quotas, reports
 enable_api_admin = True
-listen = {{ address("designate-api", designate.api_port) }}
+#listen = {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }}
+
+{% if designate.tls.enabled %}
+[network_api:neutron]
+ca_certificates_file = /opt/ccp/etc/tls/ca.pem
+{% endif %}
 
 #-------------
 # Sink Service
diff --git a/service/files/nginx-api.conf.j2 b/service/files/nginx-api.conf.j2
new file mode 100644
index 0000000..1e30a78
--- /dev/null
+++ b/service/files/nginx-api.conf.j2
@@ -0,0 +1,9 @@
+server {
+    listen {{ network_topology["private"]["address"] }}:{{ designate.api_port.cont }} ssl;
+    include common/ssl.conf;
+
+    location / {
+        proxy_pass http://designate_api;
+        include common/proxy-headers.conf;
+    }
+}
diff --git a/service/files/server-cert.pem.j2 b/service/files/server-cert.pem.j2
new file mode 100644
index 0000000..8abc152
--- /dev/null
+++ b/service/files/server-cert.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_cert }}
diff --git a/service/files/server-key.pem.j2 b/service/files/server-key.pem.j2
new file mode 100644
index 0000000..70cf751
--- /dev/null
+++ b/service/files/server-key.pem.j2
@@ -0,0 +1 @@
+{{ security.tls.server_key }}
diff --git a/service/files/upstreams.conf.j2 b/service/files/upstreams.conf.j2
new file mode 100644
index 0000000..a653248
--- /dev/null
+++ b/service/files/upstreams.conf.j2
@@ -0,0 +1,3 @@
+upstream designate_api {
+    server 127.0.0.1:{{ designate.api_port.cont }};
+}