diff --git a/ansible/roles/bifrost/tasks/start.yml b/ansible/roles/bifrost/tasks/start.yml
index eca4deb039..53446f9df6 100644
--- a/ansible/roles/bifrost/tasks/start.yml
+++ b/ansible/roles/bifrost/tasks/start.yml
@@ -18,3 +18,4 @@
       - "bifrost_mariadb:/var/lib/mysql/"
       - "bifrost_tftpboot:/tftpboot/"
       - "bifrost_config:/root/.config/bifrost/"
+      - "bifrost_certs:/etc/bifrost-certs/"
diff --git a/ansible/roles/bifrost/templates/bifrost.yml.j2 b/ansible/roles/bifrost/templates/bifrost.yml.j2
index 9c5c2dcc7d..07f5c3e57e 100644
--- a/ansible/roles/bifrost/templates/bifrost.yml.j2
+++ b/ansible/roles/bifrost/templates/bifrost.yml.j2
@@ -26,3 +26,10 @@ ironic_tftp_master_path: "/httpboot/master_images"
 # defaults. https://review.opendev.org/c/openstack/bifrost/+/822743
 tftp_boot_folder: "/tftpboot"
 http_boot_folder: "/httpboot"
+
+# Enable TLS and generate self-signed certificates.
+enable_tls: true
+generate_tls: true
+# NOTE: Needs to be world-readable, writeable by root, and persistent, which
+# the default /etc/bifrost is not.
+tls_root: "/etc/bifrost-certs"
diff --git a/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml b/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml
new file mode 100644
index 0000000000..15ff8fe476
--- /dev/null
+++ b/releasenotes/notes/bifrost-tls-0c8545ede3fe278f.yaml
@@ -0,0 +1,7 @@
+---
+upgrade:
+  - |
+    Enable TLS by default in Bifrost. Bifrost is now configured to enable TLS
+    for the services it deploys, and generate self-signed certificates for
+    them. TLS may be disabled by setting ``enable_tls`` to ``false`` in
+    ``/etc/kolla/config/bifrost/bifrost.yml``.