diff --git a/api/v1beta1/keystoneapi.go b/api/v1beta1/keystoneapi.go
index 3c3b29c5..5cc37854 100644
--- a/api/v1beta1/keystoneapi.go
+++ b/api/v1beta1/keystoneapi.go
@@ -18,6 +18,7 @@ package v1beta1
 import (
 	"context"
 	"fmt"
+	"net/url"
 	"time"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/endpoint"
@@ -80,6 +81,18 @@ func GetAdminServiceClient(
 		return nil, ctrl.Result{}, err
 	}
 
+	parsedAuthURL, err := url.Parse(authURL)
+	if err != nil {
+		return nil, ctrl.Result{}, err
+	}
+
+	tlsConfig := &openstack.TLSConfig{}
+	if parsedAuthURL.Scheme == "https" {
+		// TODO: (mschuppert) for now just set to insecure, when keystone got
+		// enabled for internal tls, get the CA secret name from the keystoneAPI
+		tlsConfig.Insecure = true
+	}
+
 	// get the password of the admin user from Spec.Secret
 	// using PasswordSelectors.Admin
 	authPassword, ctrlResult, err := secret.GetDataFromSecret(
@@ -104,6 +117,7 @@ func GetAdminServiceClient(
 			TenantName: keystoneAPI.Spec.AdminProject,
 			DomainName: "Default",
 			Region:     keystoneAPI.Spec.Region,
+			TLS:        tlsConfig,
 		})
 	if err != nil {
 		return nil, ctrl.Result{}, err