diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 700f7eb75..a8cb6ce5a 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -11,13 +11,6 @@
     owner: kube
   when: kube_network_plugin == "calico"
 
-- name: Write Canal cni config
-  template:
-    src: "cni-canal.conf.j2"
-    dest: "/etc/cni/net.d/10-canal.conf"
-    owner: kube
-  when: kube_network_plugin == "canal"
-
 - name: Write kubelet config file
   template: src=kubelet.j2 dest={{ kube_config_dir }}/kubelet.env backup=yes
   notify:
diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml
index 24f7c789b..d67d593f5 100644
--- a/roles/network_plugin/canal/defaults/main.yml
+++ b/roles/network_plugin/canal/defaults/main.yml
@@ -9,3 +9,7 @@ canal_masquerade: "true"
 
 # Log-level
 canal_log_level: "info"
+
+# Etcd SSL dirs
+canal_cert_dir: /etc/canal/certs
+etcd_cert_dir: /etc/ssl/etcd/ssl
diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml
index e88cfad7e..1566362f1 100644
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -1,4 +1,28 @@
 ---
+- name: Canal | Write Canal cni config
+  template:
+    src: "cni-canal.conf.j2"
+    dest: "/etc/cni/net.d/10-canal.conf"
+    owner: kube
+
+- name: Canal | Create canal certs directory
+  file:
+    dest: "{{ canal_cert_dir }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: root
+
+- name: Canal | Link etcd certificates for canal-node
+  file:
+    src: "{{ etcd_cert_dir }}/{{ item.s }}"
+    dest: "{{ canal_cert_dir }}/{{ item.d }}"
+    state: hard
+  with_items:
+    - {s: "ca.pem", d: "ca_cert.crt"}
+    - {s: "node.pem", d: "cert.crt"}
+    - {s: "node-key.pem", d: "key.pem"}
+
 - name: Canal | Set Flannel etcd configuration
   command: |-
     {{ bin_dir }}/etcdctl --peers={{ etcd_access_addresses }} \
diff --git a/roles/network_plugin/canal/templates/canal-config.yml.j2 b/roles/network_plugin/canal/templates/canal-config.yml.j2
index 34f3faedb..1d0d3002a 100644
--- a/roles/network_plugin/canal/templates/canal-config.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-config.yml.j2
@@ -20,3 +20,8 @@ data:
 
   # Cluster name for Flannel etcd path
   cluster_name: "{{ cluster_name }}"
+
+  # SSL Etcd configuration
+  etcd_cafile: "{{ canal_cert_dir }}/ca_cert.crt"
+  etcd_certfile: "{{ canal_cert_dir }}/cert.crt"
+  etcd_keyfile: "{{ canal_cert_dir }}/key.pem"
diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yml.j2
index ef6793f30..c3894d47f 100644
--- a/roles/network_plugin/canal/templates/canal-node.yml.j2
+++ b/roles/network_plugin/canal/templates/canal-node.yml.j2
@@ -40,6 +40,9 @@ spec:
         - name: resolv
           hostPath:
             path: /etc/resolv.conf
+        - name: "canal-certs"
+          hostPath:
+            path: "{{ canal_cert_dir }}"
       containers:
         # Runs the flannel daemon to enable vxlan networking between
         # container hosts.
@@ -76,10 +79,26 @@ spec:
             # Write the subnet.env file to the mounted directory.
             - name: FLANNELD_SUBNET_FILE
               value: "/run/flannel/subnet.env"
+            # Etcd SSL vars
+            - name: ETCD_CA_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_cafile
+            - name: ETCD_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_certfile
+            - name: ETCD_KEY_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_keyfile
           command:
             - "/bin/sh"
             - "-c"
-            - "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network"
+            - "/opt/bin/flanneld -etcd-prefix /$(CLUSTER_NAME)/network -etcd-cafile $(ETCD_CA_CERT_FILE) -etcd-certfile $(ETCD_CERT_FILE) -etcd-keyfile $(ETCD_KEY_FILE)"
           ports:
             - hostPort: 10253
               containerPort: 10253
@@ -90,6 +109,8 @@ spec:
               mountPath: "/etc/resolv.conf"
             - name: "run-flannel"
               mountPath: "/run/flannel"
+            - name: "canal-certs"
+              mountPath: "{{ canal_cert_dir }}"
         # Runs calico/node container on each Kubernetes node.  This
         # container programs network policy and local routes on each
         # host.
@@ -108,6 +129,22 @@ spec:
             # Disable file logging so `kubectl logs` works.
             - name: CALICO_DISABLE_FILE_LOGGING
               value: "true"
+            # Etcd SSL vars
+            - name: ETCD_CA_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_cafile
+            - name: ETCD_CERT_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_certfile
+            - name: ETCD_KEY_FILE
+              valueFrom:
+                configMapKeyRef:
+                  name: canal-config
+                  key: etcd_keyfile
           securityContext:
             privileged: true
           volumeMounts:
@@ -117,3 +154,5 @@ spec:
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
+            - name: "canal-certs"
+              mountPath: "{{ canal_cert_dir }}"
diff --git a/roles/kubernetes/node/templates/cni-canal.conf.j2 b/roles/network_plugin/canal/templates/cni-canal.conf.j2
similarity index 100%
rename from roles/kubernetes/node/templates/cni-canal.conf.j2
rename to roles/network_plugin/canal/templates/cni-canal.conf.j2