diff --git a/fuel_ccp_entrypoint/start_script.py b/fuel_ccp_entrypoint/start_script.py
index 92717d6..88d38db 100644
--- a/fuel_ccp_entrypoint/start_script.py
+++ b/fuel_ccp_entrypoint/start_script.py
@@ -180,8 +180,10 @@ def openstackclient_preexec_fn():
         os.environ["OS_PASSWORD"] = VARIABLES['openstack']['user_password']
         os.environ["OS_USERNAME"] = VARIABLES['openstack']['user_name']
         os.environ["OS_PROJECT_NAME"] = VARIABLES['openstack']['project_name']
-        os.environ["OS_AUTH_URL"] = 'http://%s/v3' % address(
-            'keystone', VARIABLES['keystone']['admin_port'])
+        if VARIABLES['security']['tls']['create_certificates']:
+            os.environ["OS_CACERT"] = CACERT
+        os.environ["OS_AUTH_URL"] = '%s/v3' % address(
+            'keystone', VARIABLES['keystone']['admin_port'], with_scheme=True)
     return result
 
 
@@ -217,7 +219,12 @@ def get_ingress_host(ingress_name):
 
 def address(service, port=None, external=False, with_scheme=False):
     addr = None
-    scheme = 'http'
+    enable_tls = VARIABLES.get(service, {}).get('tls', {}).get('enabled')
+
+    if enable_tls:
+        scheme = 'https'
+    else:
+        scheme = 'http'
     if external:
         if not port:
             raise RuntimeError('Port config is required for external address')
@@ -551,11 +558,19 @@ def run_probe(probe):
     if probe["type"] == "exec":
         run_cmd(probe["command"])
     elif probe["type"] == "httpGet":
-        url = "http://{}:{}{}".format(
+        scheme = probe.get('scheme', 'http')
+        if scheme == 'https':
+            # disable SSL check for probe request
+            verify = False
+        else:
+            verify = True
+
+        url = "{}://{}:{}{}".format(
+            scheme,
             VARIABLES["network_topology"]["private"]["address"],
             probe["port"],
             probe.get("path", "/"))
-        resp = requests.get(url)
+        resp = requests.get(url, verify=verify)
         resp.raise_for_status()