@@ -257,6 +257,14 @@ function make_cert {

     local common_name=$3

     local alt_names=$4

+    if [ "$common_name" != "$SERVICE_HOST" ]; then

+        if [[ -z "$alt_names" ]]; then

+            alt_names="DNS:$SERVICE_HOST"

+        else

+            alt_names="$alt_names,DNS:$SERVICE_HOST"

+        fi

+    fi

+

     # Only generate the certificate if it doesn't exist yet on the disk

     if [ ! -r "$ca_dir/$cert_name.crt" ]; then

         # Generate a signing request

@@ -1004,10 +1004,6 @@ if is_service_enabled keystone; then

         bootstrap_keystone

     fi

-    if is_service_enabled tls-proxy; then

-        export OS_CACERT=$INT_CA_DIR/ca-chain.pem

-    fi

-

     # Rather than just export these, we write them out to a

     # intermediate userrc file that can also be used to debug if

     # something goes wrong between here and running

@@ -1028,6 +1024,10 @@ export OS_REGION_NAME=$REGION_NAME

 EOF

+    if is_service_enabled tls-proxy; then

+        echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early

+    fi

+

     source $TOP_DIR/userrc_early

     create_keystone_accounts