diff --git a/lib/tls b/lib/tls
index f4740b88be..ca57ed44e0 100644
--- a/lib/tls
+++ b/lib/tls
@@ -257,6 +257,14 @@ function make_cert {
     local common_name=$3
     local alt_names=$4
 
+    if [ "$common_name" != "$SERVICE_HOST" ]; then
+        if [[ -z "$alt_names" ]]; then
+            alt_names="DNS:$SERVICE_HOST"
+        else
+            alt_names="$alt_names,DNS:$SERVICE_HOST"
+        fi
+    fi
+
     # Only generate the certificate if it doesn't exist yet on the disk
     if [ ! -r "$ca_dir/$cert_name.crt" ]; then
         # Generate a signing request
diff --git a/stack.sh b/stack.sh
index 5c16f042d8..b91c106ed8 100755
--- a/stack.sh
+++ b/stack.sh
@@ -1004,10 +1004,6 @@ if is_service_enabled keystone; then
         bootstrap_keystone
     fi
 
-    if is_service_enabled tls-proxy; then
-        export OS_CACERT=$INT_CA_DIR/ca-chain.pem
-    fi
-
     # Rather than just export these, we write them out to a
     # intermediate userrc file that can also be used to debug if
     # something goes wrong between here and running
@@ -1028,6 +1024,10 @@ export OS_REGION_NAME=$REGION_NAME
 
 EOF
 
+    if is_service_enabled tls-proxy; then
+        echo "export OS_CACERT=$INT_CA_DIR/ca-chain.pem" >> $TOP_DIR/userrc_early
+    fi
+
     source $TOP_DIR/userrc_early
 
     create_keystone_accounts