diff --git a/etc/kayobe/containers/pulp/pre.yml b/etc/kayobe/containers/pulp/pre.yml
index 22d999023..85af37916 100644
--- a/etc/kayobe/containers/pulp/pre.yml
+++ b/etc/kayobe/containers/pulp/pre.yml
@@ -19,3 +19,24 @@
     dest: /opt/kayobe/containers/pulp/settings.py
     mode: 0644
   become: true
+
+- name: Configure TLS for local Pulp
+  when: pulp_enable_tls | bool
+  become: true
+  block:
+    - name: Ensure /opt/kayobe/containers/pulp/certs exists
+      file:
+        path: "/opt/kayobe/containers/pulp/certs"
+        state: directory
+
+    - name: Copy TLS cert and key into container directory
+      template:
+        src: "{{ item.src }}"
+        dest: "/opt/kayobe/containers/pulp/certs/{{ item.dest }}"
+        mode: 0644
+      become: true
+      loop:
+        - src: "{{ pulp_cert_path }}"
+          dest: 'pulp_webserver.crt'
+        - src: "{{ pulp_key_path }}"
+          dest: 'pulp_webserver.key'
diff --git a/etc/kayobe/pulp.yml b/etc/kayobe/pulp.yml
index 61f7c4dba..791f3d371 100644
--- a/etc/kayobe/pulp.yml
+++ b/etc/kayobe/pulp.yml
@@ -1,10 +1,26 @@
 ---
 ###############################################################################
-# Local Pulp access credentials
+# Local Pulp server configuration
 
 # Base URL of the local Pulp service.
 # Default uses the seed node's IP on the admin network.
-pulp_url: "http://{{ admin_oc_net_name | net_ip(groups['seed'][0]) }}:80"
+pulp_url: "{{ 'https' if pulp_enable_tls | bool else 'http' }}://{{ admin_oc_net_name | net_ip(groups['seed'][0]) }}:{{ pulp_port }}"
+
+# Port on the seed node's interface on the admin network that the Pulp service
+# listens on.
+pulp_port: "{{ '443' if pulp_enable_tls | bool else '80' }}"
+
+# Whether to enable TLS for Pulp.
+pulp_enable_tls: false
+
+# Path to a TLS certificate to use when TLS is enabled.
+#pulp_cert_path:
+
+# Path to a TLS key to use when TLS is enabled.
+#pulp_key_path:
+
+###############################################################################
+# Local Pulp access credentials
 
 # Credentials used to access the local Pulp REST API.
 pulp_username: admin
diff --git a/etc/kayobe/seed.yml b/etc/kayobe/seed.yml
index 33e2637ac..dd6ed8be1 100644
--- a/etc/kayobe/seed.yml
+++ b/etc/kayobe/seed.yml
@@ -106,7 +106,7 @@ seed_pulp_container:
     image: pulp/pulp
     pre: "{{ kayobe_config_path }}/containers/pulp/pre.yml"
     post: "{{ kayobe_config_path }}/containers/pulp/post.yml"
-    tag: "3.21"
+    tag: "{{ '3.21-https' if pulp_enable_tls | bool else '3.21' }}"
     network_mode: host
     # Override deploy_containers_defaults.init == true to ensure
     # s6-overlay-suexec starts as pid 1
diff --git a/releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml b/releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml
new file mode 100644
index 000000000..a6340bca7
--- /dev/null
+++ b/releasenotes/notes/local-pulp-tls-a8e7464d8cb0d114.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Enable TLS for the Seed Pulp service. Set ``pulp_enable_tls: true`` and
+    provide paths to a TLS certificate and key using ``pulp_cert_path`` and
+    ``pulp_key_path`` respectively.