diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index c2e8771eed2..34cf1e8cfff 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -56,6 +56,9 @@ limits:
   firesPerMinute: "{{ limit_fires_per_minute | default(60) }}"
   sequenceMaxLength: "{{ limit_sequence_max_length | default(50) }}"
 
+# Moved here to avoid recursions. Please do not use outside of controller-dict.
+__controller_ssl_keyPrefix: "controller-"
+
 # port means outer port
 controller:
   dir:
@@ -83,24 +86,19 @@ controller:
   loglevel: "{{ controller_loglevel | default(whisk_loglevel) | default('INFO') }}"
   entitlement:
     spi: "{{ controller_entitlement_spi | default('') }}"
-  protocol: "{{ controllerProtocolForSetup }}"
+  protocol: "{{ controller_protocol | default('https') }}"
   ssl:
     cn: openwhisk-controllers
-    cert: "{{ controller_ca_cert | default('controller-openwhisk-server-cert.pem') }}"
-    key: "{{ controller_key | default('controller-openwhisk-server-key.pem') }}"
-    clientAuth: "{{ controller_client_auth | default('true') }}"
+    keyPrefix: "{{ __controller_ssl_keyPrefix }}"
     storeFlavor: PKCS12
+    clientAuth: "{{ controller_client_auth | default('true') }}"
+    cert: "controller-openwhisk-server-cert.pem"
+    key: "controller-openwhisk-server-key.pem"
     keystore:
-      password: "{{ controllerKeystorePassword }}"
-      path: "/conf/{{ controllerKeystoreName }}"
+      password: "openwhisk"
+      name: "{{ __controller_ssl_keyPrefix }}openwhisk-keystore.p12"
   extraEnv: "{{ controller_extraEnv | default({}) }}"
 
-# move controller protocol outside to not evaluate controller variables during execution of setup.yml
-controllerProtocolForSetup: "{{ controller_protocol | default('https') }}"
-controllerKeystoreName: "{{ controllerKeyPrefix }}openwhisk-keystore.p12"
-controllerKeyPrefix: "controller-"
-controllerKeystorePassword: openwhisk
-
 jmx:
   basePortController: 15000
   rmiBasePortController: 16000
diff --git a/ansible/roles/controller/tasks/deploy.yml b/ansible/roles/controller/tasks/deploy.yml
index 9c5cb3fdb31..81f434fc59d 100644
--- a/ansible/roles/controller/tasks/deploy.yml
+++ b/ansible/roles/controller/tasks/deploy.yml
@@ -58,7 +58,7 @@
 - name: copy nginx certificate keystore
   when: controller.protocol == 'https'
   copy:
-    src: files/{{ controllerKeystoreName }}
+    src: files/{{ controller.ssl.keystore.name }}
     mode: 0666
     dest: "{{ controller.confdir }}/{{ controller_name }}"
   become: "{{ controller.dir.become }}"
@@ -206,7 +206,7 @@
       "METRICS_LOG": "{{ metrics.log.enabled }}"
       "CONFIG_whisk_controller_protocol": "{{ controller.protocol }}"
       "CONFIG_whisk_controller_https_keystorePath":
-        "{{ controller.ssl.keystore.path }}"
+        "/conf/{{ controller.ssl.keystore.name }}"
       "CONFIG_whisk_controller_https_keystorePassword":
         "{{ controller.ssl.keystore.password }}"
       "CONFIG_whisk_controller_https_keystoreFlavor":
diff --git a/ansible/setup.yml b/ansible/setup.yml
index bb121a2f53e..a550389939a 100644
--- a/ansible/setup.yml
+++ b/ansible/setup.yml
@@ -67,18 +67,20 @@
     local_action: shell "{{ playbook_dir }}/files/genssl.sh" "openwhisk-kafka" "server_with_JKS_keystore" "{{ playbook_dir }}/roles/kafka/files" openwhisk "kafka-" "generateKey"
     when: kafka_protocol_for_setup == 'SSL'
 
+  # Generate Controller certificates
   - name: ensure controller files directory exists
     file:
       path: "{{ playbook_dir }}/roles/controller/files/"
       state: directory
       mode: 0777
     become: "{{ logs.dir.become }}"
-    when: controllerProtocolForSetup == 'https'
+    when: controller.protocol == 'https'
 
   - name: generate controller certificates
-    when: controllerProtocolForSetup == 'https'
-    local_action: shell "{{ playbook_dir }}/files/genssl.sh" "openwhisk-controllers" "server" "{{ playbook_dir }}/roles/controller/files" {{ controllerKeystorePassword }} {{ controllerKeyPrefix }} "generateKey"
+    when: controller.protocol == 'https'
+    local_action: shell "{{ playbook_dir }}/files/genssl.sh" "{{ controller.ssl.cn }}" "server" "{{ playbook_dir }}/roles/controller/files" {{ controller.ssl.keystore.password }} {{ controller.ssl.keyPrefix }} "generateKey"
 
+  # Generate Invoker certificates
   - name: ensure invoker files directory exists
     file:
       path: "{{ playbook_dir }}/roles/invoker/files/"
diff --git a/tests/src/test/resources/application.conf.j2 b/tests/src/test/resources/application.conf.j2
index 420ebc7278f..ec40eb17e2f 100644
--- a/tests/src/test/resources/application.conf.j2
+++ b/tests/src/test/resources/application.conf.j2
@@ -59,7 +59,7 @@ whisk {
       protocol = {{ controller.protocol }}
       https {
         keystore-flavor = "{{ controller.ssl.storeFlavor }}"
-        keystore-path = "{{ openwhisk_home }}/ansible/roles/controller/files/{{ controllerKeystoreName }}"
+        keystore-path = "{{ openwhisk_home }}/ansible/roles/controller/files/{{ controller.ssl.keystore.name }}"
         keystore-password = "{{ controller.ssl.keystore.password }}"
         client-auth = "{{ controller.ssl.clientAuth }}"
       }