diff --git a/manifests/config.pp b/manifests/config.pp
index 86364b5f5..845773d16 100644
--- a/manifests/config.pp
+++ b/manifests/config.pp
@@ -19,6 +19,10 @@
     }
   }
 
+  # Used in the settings template
+  $websockets_ssl_cert = pick($foreman::websockets_ssl_cert, $foreman::server_ssl_cert)
+  $websockets_ssl_key = pick($foreman::websockets_ssl_key, $foreman::server_ssl_key)
+
   concat::fragment {'foreman_settings+01-header.yaml':
     target  => '/etc/foreman/settings.yaml',
     content => template('foreman/settings.yaml.erb'),
diff --git a/manifests/init.pp b/manifests/init.pp
index 3136b253b..2d7a9f568 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -273,8 +273,8 @@
   String $pam_service = $foreman::params::pam_service,
   Boolean $ipa_manage_sssd = $foreman::params::ipa_manage_sssd,
   Boolean $websockets_encrypt = $foreman::params::websockets_encrypt,
-  Stdlib::Absolutepath $websockets_ssl_key = $foreman::params::websockets_ssl_key,
-  Stdlib::Absolutepath $websockets_ssl_cert = $foreman::params::websockets_ssl_cert,
+  Optional[Stdlib::Absolutepath] $websockets_ssl_key = $foreman::params::websockets_ssl_key,
+  Optional[Stdlib::Absolutepath] $websockets_ssl_cert = $foreman::params::websockets_ssl_cert,
   Enum['debug', 'info', 'warn', 'error', 'fatal'] $logging_level = $foreman::params::logging_level,
   Enum['file', 'syslog', 'journald'] $logging_type = $foreman::params::logging_type,
   Enum['pattern', 'multiline_pattern', 'json'] $logging_layout = $foreman::params::logging_layout,
diff --git a/manifests/params.pp b/manifests/params.pp
index 96c440791..781affdd2 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -183,8 +183,8 @@
 
   # Websockets
   $websockets_encrypt = true
-  $websockets_ssl_key = $server_ssl_key
-  $websockets_ssl_cert = $server_ssl_cert
+  $websockets_ssl_key = undef
+  $websockets_ssl_cert = undef
 
   # Application logging
   $logging_level = 'info'
diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
index c00a42667..5e5a910c6 100644
--- a/spec/classes/foreman_spec.rb
+++ b/spec/classes/foreman_spec.rb
@@ -31,6 +31,8 @@
             .with_content(/^:oauth_consumer_key:\s*\w+$/)
             .with_content(/^:oauth_consumer_secret:\s*\w+$/)
             .with_content(/^:websockets_encrypt:\s*true$/)
+            .with_content(%r{^:websockets_ssl_key:\s*/etc/puppetlabs/puppet/ssl/private_keys/foo\.example\.com\.pem$})
+            .with_content(%r{^:websockets_ssl_cert:\s*/etc/puppetlabs/puppet/ssl/certs/foo\.example\.com\.pem$})
             .with_content(%r{^:ssl_certificate:\s*/etc/puppetlabs/puppet/ssl/certs/foo\.example\.com\.pem$})
             .with_content(%r{^:ssl_ca_file:\s*/etc/puppetlabs/puppet/ssl/certs/ca.pem$})
             .with_content(%r{^:ssl_priv_key:\s*/etc/puppetlabs/puppet/ssl/private_keys/foo\.example\.com\.pem$})
@@ -236,8 +238,8 @@
             pam_service: 'foreman',
             ipa_manage_sssd: true,
             websockets_encrypt: true,
-            websockets_ssl_key: '/etc/ssl/private/snakeoil.pem',
-            websockets_ssl_cert: '/etc/ssl/certs/snakeoil.pem',
+            websockets_ssl_key: '/etc/ssl/private/snakeoil-ws.pem',
+            websockets_ssl_cert: '/etc/ssl/certs/snakeoil-ws.pem',
             logging_level: 'info',
             loggers: {},
             email_delivery_method: 'sendmail',
@@ -260,6 +262,12 @@
             .with_keycloak_app_name('cloak-app')
             .with_keycloak_realm('myrealm')
         end
+
+        it 'should configure certificates in settings.yaml' do
+          is_expected.to contain_concat__fragment('foreman_settings+01-header.yaml')
+            .with_content(%r{^:websockets_ssl_key: /etc/ssl/private/snakeoil-ws\.pem$})
+            .with_content(%r{^:websockets_ssl_cert: /etc/ssl/certs/snakeoil-ws\.pem$})
+        end
       end
 
       context 'with journald logging' do
diff --git a/templates/settings.yaml.erb b/templates/settings.yaml.erb
index 61d0969f5..383b490e5 100644
--- a/templates/settings.yaml.erb
+++ b/templates/settings.yaml.erb
@@ -17,8 +17,8 @@
 
 # Websockets
 :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %>
-:websockets_ssl_key: <%= scope.lookupvar("foreman::websockets_ssl_key") %>
-:websockets_ssl_cert: <%= scope.lookupvar("foreman::websockets_ssl_cert") %>
+:websockets_ssl_key: <%= @websockets_ssl_key %>
+:websockets_ssl_cert: <%= @websockets_ssl_cert %>
 
 # SSL-settings
 :ssl_certificate: <%= scope.lookupvar("foreman::client_ssl_cert") %>