diff --git a/keystone/files/keystonerc b/keystone/files/keystonerc
index c91d196..680dbab 100644
--- a/keystone/files/keystonerc
+++ b/keystone/files/keystonerc
@@ -2,10 +2,10 @@
 export OS_USERNAME={{ server.admin_name }}
 export OS_PASSWORD={{ server.admin_password }}
 export OS_TENANT_NAME={{ server.admin_tenant }}
-export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0
+export OS_AUTH_URL={{ server.bind.private_protocol }}://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0
 export OS_REGION_NAME={{ server.region }}
 export OS_SERVICE_TOKEN={{ server.service_token }}
-export OS_SERVICE_ENDPOINT="http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0/"
+export OS_SERVICE_ENDPOINT="{{ server.bind.private_protocol }}://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v2.0/"
 {%- if server.interface is defined %}
 export OS_INTERFACE={{ server.interface }}
 {%- endif %}
diff --git a/keystone/files/keystonercv3 b/keystone/files/keystonercv3
index bf2b3ad..1b7f378 100644
--- a/keystone/files/keystonercv3
+++ b/keystone/files/keystonercv3
@@ -1,6 +1,6 @@
 {%- from "keystone/map.jinja" import server with context %}
 export OS_IDENTITY_API_VERSION=3
-export OS_AUTH_URL=http://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
+export OS_AUTH_URL={{ server.bind.private_protocol }}://{{ server.bind.private_address }}:{{ server.bind.private_port }}/v3
 export OS_PROJECT_DOMAIN_NAME=Default
 export OS_USER_DOMAIN_NAME=Default
 export OS_PROJECT_NAME={{ server.admin_tenant }}
diff --git a/keystone/map.jinja b/keystone/map.jinja
index bf9e891..bee64cc 100644
--- a/keystone/map.jinja
+++ b/keystone/map.jinja
@@ -2,7 +2,11 @@
     'cacert_file': salt['grains.filter_by']({
         'Debian': '/etc/ssl/certs/ca-certificates.crt',
         'RedHat': '/etc/pki/tls/certs/ca-bundle.crt'
-    })}
+    }),
+    'bind': {
+      'private_protocol': 'http',
+      'public_protocol': 'http', }}
+
 %}
 
 {% set server = salt['grains.filter_by']({
diff --git a/keystone/meta/salt.yml b/keystone/meta/salt.yml
index a729abd..4a3f557 100644
--- a/keystone/meta/salt.yml
+++ b/keystone/meta/salt.yml
@@ -15,23 +15,19 @@
   keystone:
     {%- if pillar.keystone.get('server', {'enabled': False}).enabled %}
     keystone.token: '{{ server.service_token }}'
-    keystone.endpoint: 'http://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
+    keystone.endpoint: '{{ server.bind.private_protocol }}://{{ server.bind.address }}:{{ server.bind.private_port }}/v2.0'
     {%- else %}
       {%- if client.get('server', {}).get('user') %}
     keystone.user: '{{ client.server.user }}'
     keystone.password: '{{ client.server.password }}'
     keystone.tenant: '{{ client.server.tenant }}'
-    keystone.auth_url: 'http://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
+    keystone.auth_url: '{{ client.server.get('public_protocol', 'http') }}://{{ client.server.host }}:{{ client.server.public_port }}/v2.0/'
       {%- endif %}
     {%- endif %}
 
     {#- Profile based metadata #}
     {%- for profile_name, identity in client.get('server', {}).iteritems() %}
-      {%- if identity.admin.get('protocol', 'http') == 'http' %}
-        {%- set protocol = 'http' %}
-      {%- else %}
-        {%- set protocol = 'https' %}
-      {%- endif %}
+      {%- set protocol = identity.admin.get('protocol', 'http') %}
 
       {%- if identity.admin.get('api_version', '2') == '3' %}
         {%- set version = "v3" %}
diff --git a/keystone/meta/telegraf.yml b/keystone/meta/telegraf.yml
index 6b92366..8daaa80 100644
--- a/keystone/meta/telegraf.yml
+++ b/keystone/meta/telegraf.yml
@@ -9,15 +9,15 @@
       region: "{{ server.region }}"
       username: "{{ server.admin_name }}"
       password: "{{ server.admin_password }}"
-      identity_endpoint: "http://{{ server.bind.private_address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
+      identity_endpoint: "{{ server.bind.private_protocol }}://{{ server.bind.private_address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/v{% if server.get('api_version', 2)|int == 2 %}2.0{% else %}3{% endif %}"
       monitor_agents: "true"
 agent:
   input:
     http_response:
       keystone-public-api:
-        address: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.public_port }}/"
+        address: "{{ server.bind.public_protocol }}://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.public_port }}/"
         expected_code: 300
       keystone-admin-api:
-        address: "http://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/"
+        address: "{{ server.bind.private_protocol }}://{{ server.bind.address|replace('0.0.0.0', '127.0.0.1') }}:{{ server.bind.private_port }}/"
         expected_code: 300
 {%- endif %}
diff --git a/metadata/service/server/cluster.yml b/metadata/service/server/cluster.yml
index fd80ebd..1088421 100644
--- a/metadata/service/server/cluster.yml
+++ b/metadata/service/server/cluster.yml
@@ -6,6 +6,7 @@
   _param:
     openstack_log_appender: false
     openstack_fluentd_handler_enabled: false
+    cluster_internal_protocol: http
   keystone:
     server:
       enabled: true
@@ -20,6 +21,7 @@
         address: ${_param:cluster_local_address}
         private_address: ${_param:cluster_vip_address}
         private_port: 35357
+        private_protocol: ${_param:cluster_internal_protocol}
         public_address: ${_param:cluster_vip_address}
         public_port: 5000
       region: RegionOne
diff --git a/metadata/service/server/single.yml b/metadata/service/server/single.yml
index 39cf725..f17cfe9 100644
--- a/metadata/service/server/single.yml
+++ b/metadata/service/server/single.yml
@@ -6,6 +6,7 @@
   _param:
     openstack_log_appender: false
     openstack_fluentd_handler_enabled: false
+    keystone_service_protocol: http
   keystone:
     server:
       enabled: true
@@ -20,6 +21,7 @@
         address: 0.0.0.0
         private_address: ${_param:keystone_service_host}
         private_port: 35357
+        private_protocol: ${_param:keystone_service_protocol}
         public_address: ${_param:keystone_service_host}
         public_port: 5000
       region: RegionOne