diff --git a/lib/tls b/lib/tls
index 40f3e81438..14cdf19d8e 100644
--- a/lib/tls
+++ b/lib/tls
@@ -201,7 +201,6 @@ subjectAltName          = \$ENV::SUBJECT_ALT_NAME
 # Create root and intermediate CAs
 # init_CA
 function init_CA {
-    fix_system_ca_bundle_path
     # Ensure CAs are built
     make_root_CA $ROOT_CA_DIR
     make_int_CA $INT_CA_DIR $ROOT_CA_DIR
diff --git a/stack.sh b/stack.sh
index 54485b60b9..f20c9d9ae3 100755
--- a/stack.sh
+++ b/stack.sh
@@ -809,6 +809,13 @@ if is_service_enabled cinder nova; then
     install_os_brick
 fi
 
+# Setup TLS certs
+if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
+    configure_CA
+    init_CA
+    init_cert
+fi
+
 # Install middleware
 install_keystonemiddleware
 
@@ -881,14 +888,9 @@ if is_service_enabled heat; then
 fi
 
 if is_service_enabled tls-proxy || [ "$USE_SSL" == "True" ]; then
-    configure_CA
-    init_CA
-    init_cert
-    # Add name to ``/etc/hosts``.
-    # Don't be naive and add to existing line!
+    fix_system_ca_bundle_path
 fi
 
-
 # Extras Install
 # --------------
 
diff --git a/tools/make_cert.sh b/tools/make_cert.sh
index 2628b40524..e91464fc0f 100755
--- a/tools/make_cert.sh
+++ b/tools/make_cert.sh
@@ -45,6 +45,7 @@ DEVSTACK_CERT=$DATA_DIR/$DEVSTACK_CERT_NAME.pem
 
 # Make sure the CA is set up
 configure_CA
+fix_system_ca_bundle_path
 init_CA
 
 # Create the server cert