diff --git a/functions-common b/functions-common
index 4716567be3..9544c8102f 100644
--- a/functions-common
+++ b/functions-common
@@ -2207,6 +2207,18 @@ function cidr2netmask {
     echo ${1-0}.${2-0}.${3-0}.${4-0}
 }
 
+# Check if this is a valid ipv4 address string
+function is_ipv4_address {
+    local address=$1
+    local regex='([0-9]{1,3}.){3}[0-9]{1,3}'
+    # TODO(clarkb) make this more robust
+    if [[ "$address" =~ $regex ]] ; then
+        return 0
+    else
+        return 1
+    fi
+}
+
 # Gracefully cp only if source file/dir exists
 # cp_it source destination
 function cp_it {
diff --git a/lib/tls b/lib/tls
index 2c4e18d388..78d476fbf2 100644
--- a/lib/tls
+++ b/lib/tls
@@ -226,7 +226,7 @@ function init_cert {
     if [[ ! -r $DEVSTACK_CERT ]]; then
         if [[ -n "$TLS_IP" ]]; then
             # Lie to let incomplete match routines work
-            TLS_IP="DNS:$TLS_IP"
+            TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
         fi
         make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
 
@@ -249,6 +249,9 @@ function make_cert {
         else
             alt_names="$alt_names,DNS:$SERVICE_HOST"
         fi
+        if is_ipv4_address "$SERVICE_HOST" ; then
+            alt_names="$alt_names,IP:$SERVICE_HOST"
+        fi
     fi
 
     # Only generate the certificate if it doesn't exist yet on the disk