diff --git a/lib/tls b/lib/tls
index 1e2a8993dc..202edeffbf 100644
--- a/lib/tls
+++ b/lib/tls
@@ -189,7 +189,7 @@ subjectAltName          = \$ENV::SUBJECT_ALT_NAME
 " >$ca_dir/signing.conf
 }
 
-# Create root and intermediate CAs and an initial server cert
+# Create root and intermediate CAs
 # init_CA
 function init_CA {
     # Ensure CAs are built
@@ -198,7 +198,11 @@ function init_CA {
 
     # Create the CA bundle
     cat $ROOT_CA_DIR/cacert.pem $INT_CA_DIR/cacert.pem >>$INT_CA_DIR/ca-chain.pem
+}
 
+# Create an initial server cert
+# init_cert
+function init_cert {
     if [[ ! -r $DEVSTACK_CERT ]]; then
         if [[ -n "$TLS_IP" ]]; then
             # Lie to let incomplete match routines work
diff --git a/stack.sh b/stack.sh
index da6235313b..703e59dc0f 100755
--- a/stack.sh
+++ b/stack.sh
@@ -839,6 +839,7 @@ fi
 if is_service_enabled tls-proxy; then
     configure_CA
     init_CA
+    init_cert
     # Add name to /etc/hosts
     # don't be naive and add to existing line!
 fi
diff --git a/tools/make_cert.sh b/tools/make_cert.sh
new file mode 100755
index 0000000000..cb93e57c4b
--- /dev/null
+++ b/tools/make_cert.sh
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# **make_cert.sh**
+
+# Create a CA hierarchy (if necessary) and server certificate
+#
+# This mimics the CA structure that DevStack sets up when ``tls_proxy`` is enabled
+# but in the curent directory unless ``DATA_DIR`` is set
+
+ENABLE_TLS=True
+DATA_DIR=${DATA_DIR:-`pwd`/ca-data}
+
+ROOT_CA_DIR=$DATA_DIR/root
+INT_CA_DIR=$DATA_DIR/int
+
+# Import common functions
+source $TOP_DIR/functions
+
+# Import TLS functions
+source lib/tls
+
+function usage {
+    echo "$0 - Create CA and/or certs"
+    echo ""
+    echo "Usage: $0 commonName [orgUnit]"
+    exit 1
+}
+
+CN=$1
+if [ -z "$CN" ]]; then
+    usage
+fi
+ORG_UNIT_NAME=${2:-$ORG_UNIT_NAME}
+
+# Useful on OS/X
+if [[ `uname -s` == 'Darwin' && -d /usr/local/Cellar/openssl ]]; then
+    # set up for brew-installed modern OpenSSL
+    OPENSSL_CONF=/usr/local/etc/openssl/openssl.cnf
+    OPENSSL=/usr/local/Cellar/openssl/*/bin/openssl
+fi
+
+DEVSTACK_CERT_NAME=$CN
+DEVSTACK_HOSTNAME=$CN
+DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
+
+# Make sure the CA is set up
+configure_CA
+init_CA
+
+# Create the server cert
+make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME
+
+# Create a cert bundle
+cat $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt $INT_CA_DIR/cacert.pem >$DEVSTACK_CERT
+