diff --git a/slapos/recipe/neoppod.py b/slapos/recipe/neoppod.py
index 20c2c7292b460493d41ff408dac41f9a7b4194ac..bca651b40795f027fce72c47ae8b1cfa262f0c16 100644
--- a/slapos/recipe/neoppod.py
+++ b/slapos/recipe/neoppod.py
@@ -50,6 +50,12 @@ class NeoBaseRecipe(GenericBaseRecipe):
       #'-n', options['name'],
       '-c', options['cluster'],
     ]
+    if options['ssl']:
+      option_list += (
+        '--ca', '~/etc/ca.crt',
+        '--cert', '~/etc/neo.crt',
+        '--key', '~/etc/neo.key',
+        )
     option_list.extend(self._getOptionList())
     return [self.createPythonScript(
       options['wrapper'],
diff --git a/software/erp5/instance-erp5-input-schema.json b/software/erp5/instance-erp5-input-schema.json
index 1bff4fb81f66f3fe9373c817ae79847861a656fb..e75918b63277c92911102c9090bae0c5108c1610 100644
--- a/software/erp5/instance-erp5-input-schema.json
+++ b/software/erp5/instance-erp5-input-schema.json
@@ -220,6 +220,13 @@
           },
           "storage-dict": {
             "description": "Storage configuration. For NEO, 'logfile' is automatically set (see http://git.erp5.org/gitweb/neoppod.git/blob/HEAD:/neo/client/component.xml for other settings).",
+            "properties": {
+              "ssl": {
+                "description": "For external NEO. Pass false if you want to disable SSL or pass custom values for ca/cert/key.",
+                "default": true,
+                "type": "boolean"
+              }
+            },
             "additionalProperties": {"type": "string"},
             "type": "object"
           }
diff --git a/software/neoppod/instance-neo-admin.cfg.in b/software/neoppod/instance-neo-admin.cfg.in
index 4f561a25bf27cca501b9144c3b75b588095feefc..f37cdf982a925ce22fb555fe785a11d34e4ee4af 100644
--- a/software/neoppod/instance-neo-admin.cfg.in
+++ b/software/neoppod/instance-neo-admin.cfg.in
@@ -10,6 +10,7 @@ wrapper = ${directory:etc_run}/neoadmin
 logfile = ${directory:log}/neoadmin.log
 ip = ${publish:ip}
 port = ${publish:port-admin}
+ssl = {{ dumps(slapparameter_dict['ssl']) }}
 cluster = {{ dumps(slapparameter_dict['cluster']) }}
 masters = ${publish:masters}
 
diff --git a/software/neoppod/instance-neo-input-schema.json b/software/neoppod/instance-neo-input-schema.json
index 0dac81f5949d3276484393be61981de00fa7c924..1ddb3625634c034afff6ce6a8ef5a128c277724f 100644
--- a/software/neoppod/instance-neo-input-schema.json
+++ b/software/neoppod/instance-neo-input-schema.json
@@ -35,6 +35,11 @@
       },
       "type": "object"
     },
+    "ssl": {
+      "description": "Enable SSL. All nodes look for 3 files in ~/etc: ca.crt, neo.crt, neo.key. Waiting that SlapOS provides a way to manage certificates, the user must deploy them manually.",
+      "default": true,
+      "type": "boolean"
+    },
     "node-list": {
       "description": "List of dictionaries containing parameters for each node.",
       "items": {
diff --git a/software/neoppod/instance-neo-master.cfg.in b/software/neoppod/instance-neo-master.cfg.in
index 3cbe31a8da4eec79f5ce60a093cb99eba32d9703..4338bdffcdf2ae2375d09084670cb6948906c674 100644
--- a/software/neoppod/instance-neo-master.cfg.in
+++ b/software/neoppod/instance-neo-master.cfg.in
@@ -10,6 +10,7 @@ wrapper = ${directory:etc_run}/neomaster
 logfile = ${directory:log}/neomaster.log
 ip = ${publish:ip}
 port = ${publish:port-master}
+ssl = {{ dumps(slapparameter_dict['ssl']) }}
 cluster = {{ dumps(slapparameter_dict['cluster']) }}
 partitions = {{ slapparameter_dict['partitions'] }}
 replicas = {{ slapparameter_dict['replicas'] }}
diff --git a/software/neoppod/instance-neo-storage-mysql.cfg.in b/software/neoppod/instance-neo-storage-mysql.cfg.in
index 262b3d0df30cc9d537fc67eb2270554ec95446bc..1be3ab1d163674e2e9978ade85277d11240a113b 100644
--- a/software/neoppod/instance-neo-storage-mysql.cfg.in
+++ b/software/neoppod/instance-neo-storage-mysql.cfg.in
@@ -65,6 +65,7 @@ admins = {{ ' '.join(sorted(admin_list)) }}
 recipe = slapos.cookbook:neoppod.storage
 binary = {{ bin_directory }}/neostorage
 ip = ${publish:ip}
+ssl = {{ dumps(slapparameter_dict['ssl']) }}
 cluster = {{ dumps(slapparameter_dict['cluster']) }}
 masters = ${publish:masters}
 database-adapter = MySQL
diff --git a/software/neoppod/root-common.cfg.in b/software/neoppod/root-common.cfg.in
index 3116241ba1774f2690e1538c76a7ca275132330f..7a28c9bba9202b1ba023fe65db94cdfe3cd90d91 100644
--- a/software/neoppod/root-common.cfg.in
+++ b/software/neoppod/root-common.cfg.in
@@ -42,6 +42,7 @@ config-cluster = {{ parameter_dict['cluster'] }}
 {% set replicas = parameter_dict.get('replicas', 0) -%}
 config-partitions = {{ dumps(parameter_dict.get('partitions', 12)) }}
 config-replicas = {{ dumps(replicas) }}
+config-ssl = {{ dumps(parameter_dict.get('ssl', 1)) }}
 config-upstream-cluster = {{ dumps(parameter_dict.get('upstream-cluster', '')) }}
 config-upstream-masters = {{ dumps(parameter_dict.get('upstream-masters', '')) }}
 software-type = {{ software_type }}
diff --git a/software/neoppod/software-common.cfg b/software/neoppod/software-common.cfg
index 2b3fbba46de2a60db80f288ee70e88960e5a0627..a41aba9c74321ebcd82d4bb2eabbb15271481a51 100644
--- a/software/neoppod/software-common.cfg
+++ b/software/neoppod/software-common.cfg
@@ -74,19 +74,19 @@ context =
 
 [root-common]
 <= download-base-neo
-md5sum = 26193dbb132d340c8ba919a616449a17
+md5sum = 88c34cfa913b89b2ed4c69168965cf84
 
 [instance-neo-admin]
 <= download-base-neo
-md5sum = 16d11f0fe74de06aebbadcff3527db1c
+md5sum = 7bbe0285e499f011dad68825a2264cad
 
 [instance-neo-master]
 <= download-base-neo
-md5sum = 023f08763dbba2319f58e5c597f7761d
+md5sum = 0cf303254855c3e1a8e3819004bee70f
 
 [instance-neo-storage-mysql]
 <= download-base-neo
-md5sum = 14ccd057f51521f110a130f0d4aaebbd
+md5sum = 0b62b63540d1bd1a2802f44aff5d1a57
 
 [template-neo-my-cnf]
 <= download-base-neo
diff --git a/stack/erp5/buildout.cfg b/stack/erp5/buildout.cfg
index 2a976babbb904a137c7e0f4680d923ae0daac4f0..9c4e6ed85e3730bb46773afb4f8e550465416021 100644
--- a/stack/erp5/buildout.cfg
+++ b/stack/erp5/buildout.cfg
@@ -317,7 +317,7 @@ rendered = ${monitor-template-dummy:target}
 [template-erp5]
 <= download-base
 filename = instance-erp5.cfg.in
-md5sum = 60cdf98d996f220d66daa11452c3f4bf
+md5sum = e8348f675195f25cf4212b72cb8a907b
 
 [template-zeo]
 <= download-base
@@ -327,7 +327,7 @@ md5sum = 9670cf63099e2c520017a23defff51a4
 [template-zope]
 <= download-base
 filename = instance-zope.cfg.in
-md5sum = 44c4aa068cffe2c1d8320d59e6d1c499
+md5sum = bf997f8bd9cacea96a514589bd7578a9
 link-binary =
   ${aspell:location}/bin/aspell
   ${dmtx-utils:location}/bin/dmtxwrite
diff --git a/stack/erp5/instance-erp5.cfg.in b/stack/erp5/instance-erp5.cfg.in
index 34b859359809415a1a70ff3539e649ec652d57d5..58209878b3c57c638b2c4c0d4497528f39fae585 100644
--- a/stack/erp5/instance-erp5.cfg.in
+++ b/stack/erp5/instance-erp5.cfg.in
@@ -62,8 +62,11 @@ connection-url = smtp://127.0.0.2:0/
 {%   if server_type == 'neo' -%}
 {%     set ((name, server_dict),) = server_dict.items() -%}
 {%     do neo.append(server_dict.get('cluster')) -%}
-{%     do server_dict.__setitem__('cluster', '${publish-early:neo-cluster}') -%}
+{%     do server_dict.update(cluster='${publish-early:neo-cluster}') -%}
 {{     root_common.request_neo(server_dict, 'zodb-neo', 'neo-') }}
+{%     if not server_dict.get('ssl', 1) -%}
+{%       do zodb_dict[name].setdefault('storage-dict', {}).update(ssl=0) -%}
+{%     endif -%}
 {%   else -%}
 {{     assert(server_type == 'zeo', server_type) -}}
 {# BBB: for compatibility, keep 'zodb' as partition_reference for ZEO -#}
diff --git a/stack/erp5/instance-zope.cfg.in b/stack/erp5/instance-zope.cfg.in
index f1d83dc0337d2d231072d26543848358a8f5a3d3..c7e9485f3f87d361378338221849acf5df952a4a 100644
--- a/stack/erp5/instance-zope.cfg.in
+++ b/stack/erp5/instance-zope.cfg.in
@@ -192,9 +192,23 @@ bt5-repository =
 [zope-conf-parameter-base]
 ip = {{ ipv4 }}
 site-id = {{ site_id }}
-{% set storage_dict = {'neo': {}, 'zeo': slapparameter_dict.get('zodb-zeo', {})} -%}
+{% set zeo_dict = slapparameter_dict.get('zodb-zeo', {}) -%}
 {% for name, zodb in zodb_dict.iteritems() -%}
-{%   do zodb.setdefault('storage-dict', {}).update(storage_dict[zodb['type']].get(name, {})) -%}
+{%   set storage_dict = zodb.setdefault('storage-dict', {}) -%}
+{%   if zodb['type'] == 'zeo' -%}
+{%     do storage_dict.update(zeo_dict.get(name, ())) -%}
+{%   else -%}
+{%     if name == slapparameter_dict.get('neo-name') -%}
+{%       do storage_dict.update(master_nodes=slapparameter_dict['neo-masters'],
+                                name=slapparameter_dict['neo-cluster']) -%}
+{%     endif -%}
+{{     assert(storage_dict['master_nodes'], name) }}
+{%     if storage_dict.pop('ssl', 1) -%}
+{%       do storage_dict.update(ca='~/etc/ca.crt',
+                                cert='~/etc/neo.crt',
+                                key='~/etc/neo.key') -%}
+{%     endif -%}
+{%   endif -%}
 {% endfor -%}
 developer-list = {{ dumps(slapparameter_dict['developer-list']) }}
 instance = ${directory:instance}
@@ -250,14 +264,9 @@ node-id = {{ dumps(node_id_base ~ '-' ~ index) }}
 {% for db_name, zodb in zodb_dict.iteritems() -%}
 {%   if zodb['type'] == 'neo' -%}
 {%     do import_set.add('neo.client') -%}
-{%     set log = buildout_directory ~ '/var/log/' ~ name ~ '-neo-' ~ db_name ~ '.log' -%}
+{%     set log = '~/var/log/' ~ name ~ '-neo-' ~ db_name ~ '.log' -%}
 {%     do log_list.append(log) -%}
-{%     do zodb['storage-dict'].__setitem__('logfile', log) -%}
-{%     if db_name == slapparameter_dict.get('neo-name') -%}
-{%       do zodb['storage-dict'].__setitem__('name', slapparameter_dict['neo-cluster']) -%}
-{%       do zodb['storage-dict'].__setitem__('master_nodes', slapparameter_dict['neo-masters']) -%}
-{%     endif -%}
-{{     assert(zodb['storage-dict']['master_nodes'], db_name) }}
+{%     do zodb['storage-dict'].update(logfile=log) -%}
 {%   endif -%}
 {% endfor -%}
 import-list = {{ dumps(list(import_set)) }}