diff --git a/manifests/api.pp b/manifests/api.pp
index 9d7db476..cce910c4 100644
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -155,6 +155,22 @@
 #   middleware should parse the proxy headers or not.(boolean value)
 #   Defaults to $::os_service_default
 #
+# [*use_ssl*]
+#   (optional) Enable SSL on the API server
+#   Defaults to false
+#
+# [*cert_file*]
+#   (optional) Certificate file to use when starting API server securely
+#   Defaults to $::os_service_default
+#
+# [*key_file*]
+#   (optional) Private key file to use when starting API server securely
+#   Defaults to $::os_service_default
+#
+# [*ca_file*]
+#   (optional) CA certificate file to use to verify connecting clients
+#   Defaults to $::os_service_default
+#
 class cinder::api (
   $keystone_password,
   $keystone_enabled             = true,
@@ -187,6 +203,10 @@ class cinder::api (
   $osapi_max_limit              = $::os_service_default,
   $service_name                 = $::cinder::params::api_service,
   $enable_proxy_headers_parsing = $::os_service_default,
+  $use_ssl                      = false,
+  $cert_file                    = $::os_service_default,
+  $key_file                     = $::os_service_default,
+  $ca_file                      = $::os_service_default,
   # DEPRECATED PARAMETERS
   $validation_options         = {},
 ) inherits cinder::params {
@@ -197,6 +217,21 @@ class cinder::api (
   validate_bool($manage_service)
   validate_bool($enabled)
 
+  # Keep backwards compatibility with SSL values being set in init.pp
+  $use_ssl_real = pick($::cinder::use_ssl, $use_ssl)
+  $cert_file_real = pick($::cinder::cert_file, $cert_file)
+  $key_file_real = pick($::cinder::key_file, $key_file)
+  $ca_file_real = pick($::cinder::ca_file, $ca_file)
+
+  if $use_ssl_real {
+    if is_service_default($cert_file_real) {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if is_service_default($key_file_real) {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
   Cinder_config<||> ~> Service[$service_name]
   Cinder_api_paste_ini<||> ~> Service[$service_name]
   Class['cinder::policy'] ~> Service[$service_name]
@@ -304,6 +339,15 @@ class cinder::api (
     }
   }
 
+  # SSL Options
+  if $use_ssl_real {
+    cinder_config {
+      'ssl/cert_file' : value => $cert_file_real;
+      'ssl/key_file' :  value => $key_file_real;
+      'ssl/ca_file' :   value => $ca_file_real;
+    }
+  }
+
   if (!is_service_default($ratelimits)) {
     cinder_api_paste_ini {
       'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory;
diff --git a/manifests/init.pp b/manifests/init.pp
index 0a14649a..5eff3c55 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -229,22 +229,6 @@
 #   any directory.
 #   Defaults to '/var/log/cinder'.
 #
-# [*use_ssl*]
-#   (optional) Enable SSL on the API server
-#   Defaults to false, not set
-#
-# [*cert_file*]
-#   (optinal) Certificate file to use when starting API server securely
-#   Defaults to false, not set
-#
-# [*key_file*]
-#   (optional) Private key file to use when starting API server securely
-#   Defaults to false, not set
-#
-# [*ca_file*]
-#   (optional) CA certificate file to use to verify connecting clients
-#   Defaults to $::os_service_default
-#
 # [*storage_availability_zone*]
 #   (optional) Availability zone of the node.
 #   Defaults to 'nova'
@@ -299,6 +283,25 @@
 #   (Optional) DEPRECATED. Whether to enable the v2 API (true/false).
 #   Defaults to undef.
 #
+# [*use_ssl*]
+#   (optional) DEPRECATED. Enable SSL on the API server
+#   Defaults to undef
+#
+# [*cert_file*]
+#   (optional) DEPRECATED. Certificate file to use when starting API server
+#   securely
+#   Defaults to undef
+#
+# [*key_file*]
+#   (optional) DEPRECATED. Private key file to use when starting API server
+#   securely
+#   Defaults to undef
+#
+# [*ca_file*]
+#   (optional) DEPRECATED. CA certificate file to use to verify connecting
+#   clients
+#   Defaults to undef
+#
 class cinder (
   $database_connection                = undef,
   $database_idle_timeout              = undef,
@@ -346,10 +349,6 @@ class cinder (
   $amqp_username                      = $::os_service_default,
   $amqp_password                      = $::os_service_default,
   $package_ensure                     = 'present',
-  $use_ssl                            = false,
-  $ca_file                            = $::os_service_default,
-  $cert_file                          = false,
-  $key_file                           = false,
   $api_paste_config                   = '/etc/cinder/api-paste.ini',
   $use_syslog                         = undef,
   $use_stderr                         = undef,
@@ -367,20 +366,15 @@ class cinder (
   $verbose                            = undef,
   $enable_v1_api                      = undef,
   $enable_v2_api                      = undef,
+  $use_ssl                            = undef,
+  $ca_file                            = undef,
+  $cert_file                          = undef,
+  $key_file                           = undef,
 ) inherits cinder::params {
 
   include ::cinder::db
   include ::cinder::logging
 
-  if $use_ssl {
-    if !$cert_file {
-      fail('The cert_file parameter is required when use_ssl is set to true')
-    }
-    if !$key_file {
-      fail('The key_file parameter is required when use_ssl is set to true')
-    }
-  }
-
   if $verbose {
     warning('verbose is deprecated, has no effect and will be removed after Newton cycle.')
   }
@@ -477,21 +471,6 @@ class cinder (
     'DEFAULT/host':                      value => $host;
   }
 
-  # SSL Options
-  if $use_ssl {
-    cinder_config {
-      'DEFAULT/ssl_cert_file' : value => $cert_file;
-      'DEFAULT/ssl_key_file' :  value => $key_file;
-      'DEFAULT/ssl_ca_file' :   value => $ca_file;
-    }
-  } else {
-    cinder_config {
-      'DEFAULT/ssl_cert_file' : ensure => absent;
-      'DEFAULT/ssl_key_file' :  ensure => absent;
-      'DEFAULT/ssl_ca_file' :   ensure => absent;
-    }
-  }
-
   # V3 APIs
   cinder_config {
     'DEFAULT/enable_v3_api':        value => $enable_v3_api;
diff --git a/releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml b/releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml
new file mode 100644
index 00000000..18e891e7
--- /dev/null
+++ b/releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml
@@ -0,0 +1,3 @@
+---
+deprecations:
+  - The SSL-related options were removed from init.pp and added to api.pp
diff --git a/spec/classes/cinder_api_spec.rb b/spec/classes/cinder_api_spec.rb
index debe9f35..1e47131a 100644
--- a/spec/classes/cinder_api_spec.rb
+++ b/spec/classes/cinder_api_spec.rb
@@ -335,6 +335,33 @@ describe 'cinder::api' do
 
       it_raises 'a Puppet::Error', /Invalid service_name/
     end
+
+    describe 'with SSL socket options set' do
+      let :params do
+        req_params.merge!({
+          :use_ssl         => true,
+          :cert_file       => '/path/to/cert',
+          :ca_file         => '/path/to/ca',
+          :key_file        => '/path/to/key',
+        })
+      end
+
+      it { is_expected.to contain_cinder_config('ssl/ca_file').with_value('/path/to/ca') }
+      it { is_expected.to contain_cinder_config('ssl/cert_file').with_value('/path/to/cert') }
+      it { is_expected.to contain_cinder_config('ssl/key_file').with_value('/path/to/key') }
+    end
+
+    describe 'with SSL socket options set wrongly configured' do
+      let :params do
+        req_params.merge!({
+          :use_ssl         => true,
+          :ca_file         => '/path/to/ca',
+          :key_file        => '/path/to/key',
+        })
+      end
+
+      it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+    end
   end
 
   on_supported_os({
diff --git a/spec/classes/cinder_spec.rb b/spec/classes/cinder_spec.rb
index 08fe84e6..4dec5030 100644
--- a/spec/classes/cinder_spec.rb
+++ b/spec/classes/cinder_spec.rb
@@ -254,51 +254,6 @@ describe 'cinder' do
     it { is_expected.to_not contain_class('mysql::bindings::python') }
   end
 
-  describe 'with SSL socket options set' do
-    let :params do
-      {
-        :use_ssl         => true,
-        :cert_file       => '/path/to/cert',
-        :ca_file         => '/path/to/ca',
-        :key_file        => '/path/to/key',
-        :rabbit_password => 'guest',
-      }
-    end
-
-    it { is_expected.to contain_cinder_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
-    it { is_expected.to contain_cinder_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
-    it { is_expected.to contain_cinder_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
-  end
-
-  describe 'with SSL socket options set to false' do
-    let :params do
-      {
-        :use_ssl         => false,
-        :cert_file       => false,
-        :ca_file         => false,
-        :key_file        => false,
-        :rabbit_password => 'guest',
-      }
-    end
-
-    it { is_expected.to contain_cinder_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
-    it { is_expected.to contain_cinder_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
-    it { is_expected.to contain_cinder_config('DEFAULT/ssl_key_file').with_ensure('absent') }
-  end
-
-  describe 'with SSL socket options set wrongly configured' do
-    let :params do
-      {
-        :use_ssl         => true,
-        :ca_file         => '/path/to/ca',
-        :key_file        => '/path/to/key',
-        :rabbit_password => 'guest',
-      }
-    end
-
-    it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
-  end
-
   describe 'with APIs set for Mitaka (proposed)' do
     let :params do
       {