diff --git a/src/control-node/contrail-control.conf b/src/control-node/contrail-control.conf
index 38ff0344d24..2de340e85b6 100644
--- a/src/control-node/contrail-control.conf
+++ b/src/control-node/contrail-control.conf
@@ -20,6 +20,9 @@ log_level=SYS_NOTICE
 log_local=1
 # test_mode=0
 # xmpp_auth_enable=0
+# xmpp_server_cert=/etc/contrail/ssl/certs/server.pem
+# xmpp_server_key=/etc/contrail/ssl/private/server-privkey.pem
+# xmpp_ca_cert=/etc/contrail/ssl/certs/ca-cert.pem
 # xmpp_server_port=5269
 
 # Sandesh send rate limit can be used to throttle system logs transmitted per
diff --git a/src/control-node/test/options_test.cc b/src/control-node/test/options_test.cc
index 6bbf9ff529c..275c852e44a 100644
--- a/src/control-node/test/options_test.cc
+++ b/src/control-node/test/options_test.cc
@@ -216,6 +216,9 @@ TEST_F(OptionsTest, CustomConfigFile) {
         "log_local=false\n"
         "test_mode=0\n"
         "xmpp_auth_enable=true\n"
+        "xmpp_server_cert=/etc/server.pem\n"
+        "xmpp_server_key=/etc/server.key\n"
+        "xmpp_ca_cert=/etc/ca-cert.pem\n"
         "xmpp_server_port=100\n"
         "sandesh_send_rate_limit=5\n"
         "\n"
@@ -273,6 +276,9 @@ TEST_F(OptionsTest, CustomConfigFile) {
     EXPECT_EQ(options_.xmpp_port(), 100);
     EXPECT_EQ(options_.test_mode(), false);
     EXPECT_EQ(options_.xmpp_auth_enabled(), true);
+    EXPECT_EQ(options_.xmpp_server_cert(), "/etc/server.pem");
+    EXPECT_EQ(options_.xmpp_server_key(), "/etc/server.key");
+    EXPECT_EQ(options_.xmpp_ca_cert(), "/etc/ca-cert.pem");
     EXPECT_EQ(options_.sandesh_send_rate_limit(), 5);
 }
 
diff --git a/src/dns/cmn/dns_options.cc b/src/dns/cmn/dns_options.cc
index 8c7a2d85e2f..121762b72f4 100644
--- a/src/dns/cmn/dns_options.cc
+++ b/src/dns/cmn/dns_options.cc
@@ -290,4 +290,5 @@ void Options::Process(int argc, char *argv[],
     GetOptValue<bool>(var_map, xmpp_auth_enable_, "DEFAULT.xmpp_dns_auth_enable");
     GetOptValue<string>(var_map, xmpp_server_cert_, "DEFAULT.xmpp_server_cert");
     GetOptValue<string>(var_map, xmpp_server_key_, "DEFAULT.xmpp_server_key");
+    GetOptValue<string>(var_map, xmpp_ca_cert_, "DEFAULT.xmpp_ca_cert");
 }
diff --git a/src/dns/contrail-dns.conf b/src/dns/contrail-dns.conf
index 3f4d9dd4242..b9b577ac8a8 100644
--- a/src/dns/contrail-dns.conf
+++ b/src/dns/contrail-dns.conf
@@ -24,6 +24,10 @@ log_level=SYS_NOTICE
 log_local=1
 # test_mode=0
 # log_property_file= # log4cplus property file
+# xmpp_dns_auth_enable=0
+# xmpp_server_cert=/etc/contrail/ssl/certs/server.pem
+# xmpp_server_key=/etc/contrail/ssl/private/server-privkey.pem
+# xmpp_ca_cert=/etc/contrail/ssl/certs/ca-cert.pem
 
 # Sandesh send rate limit can be used to throttle system logs transmitted per
 # second. System logs are dropped if the sending rate is exceeded
diff --git a/src/dns/test/dns_options_test.cc b/src/dns/test/dns_options_test.cc
index 756049407e4..383094e6f18 100644
--- a/src/dns/test/dns_options_test.cc
+++ b/src/dns/test/dns_options_test.cc
@@ -237,6 +237,10 @@ TEST_F(OptionsTest, CustomConfigFile) {
         "test_mode=1\n"
         "log_property_file=log4cplus.prop\n"
         "sandesh_send_rate_limit=5\n"
+        "xmpp_dns_auth_enable=1\n"
+        "xmpp_server_cert=/etc/server.pem\n"
+        "xmpp_server_key=/etc/server-privkey.pem\n"
+        "xmpp_ca_cert=/etc/ca-cert.pem\n"
         "\n"
         "[DISCOVERY]\n"
         "port=100\n"
@@ -296,6 +300,10 @@ TEST_F(OptionsTest, CustomConfigFile) {
     EXPECT_EQ(options_.ifmap_certs_store(), "test-store");
     EXPECT_EQ(options_.test_mode(), true);
     EXPECT_EQ(options_.sandesh_send_rate_limit(), 5);
+    EXPECT_EQ(options_.xmpp_auth_enabled(), true);
+    EXPECT_EQ(options_.xmpp_server_cert(), "/etc/server.pem");
+    EXPECT_EQ(options_.xmpp_server_key(), "/etc/server-privkey.pem");
+    EXPECT_EQ(options_.xmpp_ca_cert(), "/etc/ca-cert.pem");
     std::remove("./dns_options_test_config_file.conf");
 }
 
diff --git a/src/vnsw/agent/contrail-vrouter-agent.conf b/src/vnsw/agent/contrail-vrouter-agent.conf
index da2f63e6f35..6542eab5c03 100644
--- a/src/vnsw/agent/contrail-vrouter-agent.conf
+++ b/src/vnsw/agent/contrail-vrouter-agent.conf
@@ -62,6 +62,13 @@ log_local=1
 # second. System logs are dropped if the sending rate is exceeded
 # sandesh_send_rate_limit=100
 
+# Enable/Disable SSL based XMPP Authentication
+# xmpp_auth_enable=false
+# xmpp_dns_auth_enable=false
+# xmpp_server_cert=/etc/contrail/ssl/certs/server.pem
+# xmpp_server_key=/etc/contrail/ssl/private/server-privkey.pem
+# xmpp_ca_cert=/etc/contrail/ssl/certs/ca-cert.pem
+
 [DISCOVERY]
 #If DEFAULT.collectors and/or CONTROL-NODE and/or DNS is not specified this
 #section is mandatory. Else this section is optional