diff --git a/barbican/templates/ingress-api.yaml b/barbican/templates/ingress-api.yaml
index f0bf5f6843..9e1734f23f 100644
--- a/barbican/templates/ingress-api.yaml
+++ b/barbican/templates/ingress-api.yaml
@@ -15,6 +15,6 @@ limitations under the License.
 */}}
 
 {{- if and .Values.manifests.ingress_api .Values.network.api.ingress.public }}
-{{- $ingressOpts := dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" -}}
+{{- $ingressOpts := dict "envAll" . "backendServiceType" "key_manager" "backendPort" "b-api" -}}
 {{ $ingressOpts | include "helm-toolkit.manifests.ingress" }}
 {{- end }}
diff --git a/barbican/templates/secret-ingress-tls.yaml b/barbican/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..cd58e51d71
--- /dev/null
+++ b/barbican/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "key_manager" ) }}
+{{- end }}
diff --git a/barbican/values.yaml b/barbican/values.yaml
index b7a803975a..42e9f387fd 100644
--- a/barbican/values.yaml
+++ b/barbican/values.yaml
@@ -438,6 +438,10 @@ secrets:
   oslo_messaging:
     admin: barbican-rabbitmq-admin
     barbican: barbican-rabbitmq-user
+  tls:
+    key_manager:
+      api:
+        public: barbican-tls-public
 
 endpoints:
   cluster_domain_suffix: cluster.local
@@ -569,6 +573,7 @@ manifests:
   pdb_api: true
   pod_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true
diff --git a/ceph-client/templates/secret-ingress-tls.yaml b/ceph-client/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..dee370f370
--- /dev/null
+++ b/ceph-client/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if and .Values.manifests.secret_ingress_tls ( and .Values.deployment.ceph .Values.conf.features.rgw ) }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "object_store" ) }}
+{{- end }}
diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml
index fdc54230f5..9a1b5baaf4 100644
--- a/ceph-client/values.yaml
+++ b/ceph-client/values.yaml
@@ -160,6 +160,10 @@ secrets:
     admin: ceph-keystone-admin
     swift: ceph-keystone-user
     user_rgw: ceph-keystone-user-rgw
+  tls:
+    object_store:
+      api:
+        public: ceph-tls-public
 
 network:
   api:
@@ -505,6 +509,13 @@ endpoints:
       public: radosgw
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /swift/v1/KEY_$(tenant_id)s
     scheme:
@@ -564,6 +575,7 @@ manifests:
   job_namespace_client_key_cleaner: true
   job_namespace_client_key: true
   job_rbd_pool: true
+  secret_ingress_tls: true
   secret_keystone_rgw: true
   secret_keystone: true
   service_ingress_rgw: true
diff --git a/cinder/templates/secret-ingress-tls.yaml b/cinder/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..a787387841
--- /dev/null
+++ b/cinder/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "volume" ) }}
+{{- end }}
diff --git a/cinder/values.yaml b/cinder/values.yaml
index b61e0fa8fa..66aa477e49 100644
--- a/cinder/values.yaml
+++ b/cinder/values.yaml
@@ -934,6 +934,10 @@ secrets:
   oslo_messaging:
     admin: cinder-rabbitmq-admin
     cinder: cinder-rabbitmq-user
+  tls:
+    volume:
+      api:
+        public: cinder-tls-public
 
 # We use a different layout of the endpoints here to account for versioning
 # this swaps the service name and type, and should be rolled out to other
@@ -1029,6 +1033,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v1/%(tenant_id)s'
     scheme:
@@ -1044,6 +1055,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v2/%(tenant_id)s'
     scheme:
@@ -1059,6 +1077,13 @@ endpoints:
       public: cinder
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v3/%(tenant_id)s'
     scheme:
@@ -1144,6 +1169,7 @@ manifests:
   pod_rally_test: true
   pvc_backup: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_api: true
diff --git a/glance/templates/secret-ingress-tls.yaml b/glance/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..f9b4ae5eae
--- /dev/null
+++ b/glance/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "image" ) }}
+{{- end }}
diff --git a/glance/values.yaml b/glance/values.yaml
index 4ff296c79f..fb2ad013ba 100644
--- a/glance/values.yaml
+++ b/glance/values.yaml
@@ -441,6 +441,10 @@ secrets:
   oslo_messaging:
     admin: glance-rabbitmq-admin
     glance: glance-rabbitmq-user
+  tls:
+    image:
+      api:
+        public: glance-tls-public
 
 
 # typically overridden by environmental
@@ -507,6 +511,13 @@ endpoints:
       public: glance
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -781,6 +792,7 @@ manifests:
   pod_rally_test: true
   pvc_images: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true
diff --git a/heat/templates/secret-ingress-tls.yaml b/heat/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..76fec5bc5c
--- /dev/null
+++ b/heat/templates/secret-ingress-tls.yaml
@@ -0,0 +1,20 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "orchestration" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "cfn" "backendServiceType" "cloudformation" ) }}
+{{- end }}
diff --git a/heat/values.yaml b/heat/values.yaml
index 990cc2649d..358bd57abc 100644
--- a/heat/values.yaml
+++ b/heat/values.yaml
@@ -664,6 +664,13 @@ secrets:
   oslo_messaging:
     admin: heat-rabbitmq-admin
     heat: heat-rabbitmq-user
+  tls:
+    orchestration:
+      api:
+        public: heat-tls-public
+    cloudformation:
+      cfn:
+        public: cloudformation-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -745,6 +752,13 @@ endpoints:
       public: heat
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: '/v1/%(project_id)s'
     scheme:
@@ -760,6 +774,13 @@ endpoints:
       public: cloudformation
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /v1
     scheme:
@@ -1044,6 +1065,7 @@ manifests:
   pdb_cloudwatch: false
   pod_rally_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_api: true
diff --git a/horizon/templates/secret-ingress-tls.yaml b/horizon/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..04705bc362
--- /dev/null
+++ b/horizon/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "dashboard" "backendServiceType" "dashboard" ) }}
+{{- end }}
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 78eb30ffd7..8e9e41db86 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -1974,6 +1974,10 @@ secrets:
   oslo_db:
     admin: horizon-db-admin
     horizon: horizon-db-user
+  tls:
+    dashboard:
+      dashboard:
+        public: horizon-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -2023,6 +2027,13 @@ endpoints:
       public: horizon
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -2059,5 +2070,6 @@ manifests:
   job_image_repo_sync: true
   pdb: true
   secret_db: true
+  secret_ingress_tls: true
   service_ingress: true
   service: true
diff --git a/keystone/templates/secret-ingress-tls.yaml b/keystone/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..3b57b4aa28
--- /dev/null
+++ b/keystone/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendServiceType" "identity" ) }}
+{{- end }}
diff --git a/keystone/values.yaml b/keystone/values.yaml
index 3d6d901157..439cdfd0b4 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -789,6 +789,10 @@ secrets:
     keystone: keystone-rabbitmq-user
   ldap:
     tls: keystone-ldap-tls
+  tls:
+    identity:
+      api:
+        public: keystone-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -831,6 +835,13 @@ endpoints:
       public: keystone
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /v3
     scheme:
@@ -922,6 +933,7 @@ manifests:
   secret_credential_keys: true
   secret_db: true
   secret_fernet_keys: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_api: true
diff --git a/neutron/templates/secret-ingress-tls.yaml b/neutron/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..1a15f2468b
--- /dev/null
+++ b/neutron/templates/secret-ingress-tls.yaml
@@ -0,0 +1,19 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{- include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "server" "backendServiceType" "network" ) }}
+{{- end }}
diff --git a/neutron/values.yaml b/neutron/values.yaml
index d3fb64d719..5f80d81a4d 100644
--- a/neutron/values.yaml
+++ b/neutron/values.yaml
@@ -1557,6 +1557,10 @@ secrets:
   oslo_messaging:
     admin: neutron-rabbitmq-admin
     neutron: neutron-rabbitmq-user
+  tls:
+    network:
+      server:
+        public: neutron-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1712,6 +1716,13 @@ endpoints:
       public: neutron
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: null
     scheme:
@@ -1744,6 +1755,7 @@ manifests:
   pdb_server: true
   pod_rally_test: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_rabbitmq: true
   service_ingress_server: true
diff --git a/nova/templates/secret-ingress-tls.yaml b/nova/templates/secret-ingress-tls.yaml
new file mode 100644
index 0000000000..3b9062e3c7
--- /dev/null
+++ b/nova/templates/secret-ingress-tls.yaml
@@ -0,0 +1,21 @@
+{{/*
+Copyright 2017-2018 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ingress_tls }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "osapi" "backendServiceType" "compute" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "novncproxy" "backendServiceType" "compute_novnc_proxy" ) }}
+{{ include "helm-toolkit.manifests.secret_ingress_tls" ( dict "envAll" . "backendService" "placement" "backendServiceType" "placement" ) }}
+{{- end }}
diff --git a/nova/values.yaml b/nova/values.yaml
index 97718fb49f..d407de9b67 100644
--- a/nova/values.yaml
+++ b/nova/values.yaml
@@ -1121,6 +1121,16 @@ secrets:
   oslo_messaging:
     admin: nova-rabbitmq-admin
     nova: nova-rabbitmq-user
+  tls:
+    compute:
+      osapi:
+        public: nova-tls-public
+    compute_novnc_proxy:
+      novncproxy:
+        public: nova-novncproxy-tls-public
+    placement:
+      placement:
+        public: placement-tls-public
 
 # typically overridden by environmental
 # values, but should include all endpoints
@@ -1314,6 +1324,13 @@ endpoints:
       public: nova
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: "/v2.1/%(tenant_id)s"
     scheme:
@@ -1349,6 +1366,13 @@ endpoints:
       public: novncproxy
     host_fqdn_override:
       default: null
+      # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public
+      # endpoints using the following format:
+      # public:
+      #   host: null
+      #   tls:
+      #     crt: null
+      #     key: null
     path:
       default: /vnc_auto.html
     scheme:
@@ -1697,6 +1721,7 @@ manifests:
   pod_rally_test: true
   secret_db_api: true
   secret_db: true
+  secret_ingress_tls: true
   secret_keystone: true
   secret_keystone_placement: true
   secret_rabbitmq: true
diff --git a/tools/deployment/common/setup-certificates.sh b/tools/deployment/common/setup-certificates.sh
new file mode 100755
index 0000000000..9811b5fde9
--- /dev/null
+++ b/tools/deployment/common/setup-certificates.sh
@@ -0,0 +1,417 @@
+#!/bin/bash
+
+# Copyright 2018 The Openstack-Helm Authors.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+set -xe
+
+CURRENT_DIR=$(pwd)
+CFSSLURL=https://pkg.cfssl.org/R1.2
+
+TDIR=/tmp/certs
+rm -rf $TDIR
+mkdir -p $TDIR/bin
+
+cd $TDIR
+curl -sSL -o bin/cfssl $CFSSLURL/cfssl_linux-amd64
+curl -sSL -o bin/cfssljson $CFSSLURL/cfssljson_linux-amd64
+chmod +x bin/{cfssl,cfssljson}
+export PATH=$PATH:./bin
+
+OSH_CONFIG_ROOT="/etc/openstack-helm"
+OSH_CA_ROOT="${OSH_CONFIG_ROOT}/certs/ca"
+OSH_SERVER_TLS_ROOT="${OSH_CONFIG_ROOT}/certs/server"
+
+sudo mkdir -p ${OSH_CONFIG_ROOT}
+sudo chown $(whoami): -R ${OSH_CONFIG_ROOT}
+
+mkdir -p "${OSH_CA_ROOT}"
+tee ${OSH_CA_ROOT}/ca-config.json << EOF
+{
+    "signing": {
+        "default": {
+            "expiry": "24h"
+        },
+        "profiles": {
+            "server": {
+                "expiry": "24h",
+                "usages": [
+                    "signing",
+                    "key encipherment",
+                    "server auth"
+                ]
+            }
+        }
+    }
+}
+EOF
+
+tee ${OSH_CA_ROOT}/ca-csr.json << EOF
+{
+  "CN": "ACME Company",
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+
+cfssl gencert -initca ${OSH_CA_ROOT}/ca-csr.json | cfssljson -bare ${OSH_CA_ROOT}/ca -
+
+function check_cert_and_key () {
+  TLS_CERT=$1
+  TLS_KEY=$2
+  openssl x509 -inform pem -in ${TLS_CERT} -noout -text
+  CERT_MOD="$(openssl x509 -noout -modulus -in ${TLS_CERT})"
+  KEY_MOD="$(openssl rsa -noout -modulus -in ${TLS_KEY})"
+  if ! [ "${CERT_MOD}" = "${KEY_MOD}" ]; then
+    echo "Failure: TLS private key does not match this certificate."
+    exit 1
+  else
+    CERT_MOD=""
+    KEY_MOD=""
+    echo "Pass: ${TLS_CERT} is valid with ${TLS_KEY}"
+  fi
+}
+check_cert_and_key ${OSH_CA_ROOT}/ca.pem ${OSH_CA_ROOT}/ca-key.pem
+
+DOMAIN=openstackhelm.test
+for HOSTNAME in "swift" "keystone" "heat" "cloudformation" "horizon" "glance" "cinder" "nova" "placement" "novnc" "metadata" "neutron" "barbican"; do
+  FQDN="${HOSTNAME}.${DOMAIN}"
+
+  OSH_SERVER_CERTS="${OSH_SERVER_TLS_ROOT}/${HOSTNAME}"
+  mkdir -p "${OSH_SERVER_CERTS}"
+
+  tee ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json <<EOF
+{
+  "CN": "${FQDN}",
+  "hosts": [
+    "${FQDN}"
+  ],
+  "key": {
+    "algo": "rsa",
+    "size": 2048
+  },
+  "names": [
+    {
+      "C": "US",
+      "L": "SomeState",
+      "ST": "SomeCity",
+      "O": "SomeOrg",
+      "OU": "SomeUnit"
+    }
+  ]
+}
+EOF
+  cfssl gencert \
+    -hostname="${FQDN}" \
+    -ca=${OSH_CA_ROOT}/ca.pem \
+    -ca-key=${OSH_CA_ROOT}/ca-key.pem \
+    -config=${OSH_CA_ROOT}/ca-config.json \
+    -profile=server \
+    ${OSH_SERVER_CERTS}/server-csr-${HOSTNAME}.json | cfssljson -bare ${OSH_SERVER_CERTS}/server
+
+  check_cert_and_key ${OSH_SERVER_CERTS}/server.pem ${OSH_SERVER_CERTS}/server-key.pem
+done
+
+cd $CURRENT_DIR
+
+KEYSTONE_CRT=${OSH_SERVER_TLS_ROOT}/keystone/server.pem
+KEYSTONE_KEY=${OSH_SERVER_TLS_ROOT}/keystone/server-key.pem
+KEYSTONE_CSR=${OSH_SERVER_TLS_ROOT}/keystone/server-csr-keystone.json
+
+SWIFT_CRT=${OSH_SERVER_TLS_ROOT}/swift/server.pem
+SWIFT_KEY=${OSH_SERVER_TLS_ROOT}/swift/server-key.pem
+SWIFT_CSR=${OSH_SERVER_TLS_ROOT}/swift/server-csr-swift.json
+
+BARBICAN_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
+BARBICAN_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
+BARBICAN_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
+
+HEAT_API_CRT=${OSH_SERVER_TLS_ROOT}/heat/server.pem
+HEAT_API_KEY=${OSH_SERVER_TLS_ROOT}/heat/server-key.pem
+HEAT_API_CSR=${OSH_SERVER_TLS_ROOT}/heat/server-csr-heat.json
+HEAT_CFN_CRT=${OSH_SERVER_TLS_ROOT}/cloudformation/server.pem
+HEAT_CFN_KEY=${OSH_SERVER_TLS_ROOT}/cloudformation/server-key.pem
+HEAT_CFN_CSR=${OSH_SERVER_TLS_ROOT}/cloudformation/server-csr-cloudformation.json
+
+HORIZON_CRT=${OSH_SERVER_TLS_ROOT}/horizon/server.pem
+HORIZON_KEY=${OSH_SERVER_TLS_ROOT}/horizon/server-key.pem
+HORIZON_CSR=${OSH_SERVER_TLS_ROOT}/horizon/server-csr-horizon.json
+
+GLANCE_API_CRT=${OSH_SERVER_TLS_ROOT}/glance/server.pem
+GLANCE_API_KEY=${OSH_SERVER_TLS_ROOT}/glance/server-key.pem
+GLANCE_API_CSR=${OSH_SERVER_TLS_ROOT}/glance/server-csr-glance.json
+
+CINDER_CRT=${OSH_SERVER_TLS_ROOT}/cinder/server.pem
+CINDER_KEY=${OSH_SERVER_TLS_ROOT}/cinder/server-key.pem
+CINDER_CSR=${OSH_SERVER_TLS_ROOT}/cinder/server-csr-cinder.json
+
+NOVA_API_CRT=${OSH_SERVER_TLS_ROOT}/nova/server.pem
+NOVA_API_KEY=${OSH_SERVER_TLS_ROOT}/nova/server-key.pem
+NOVA_API_CSR=${OSH_SERVER_TLS_ROOT}/nova/server-csr-nova.json
+
+NOVA_NOVNC_CRT=${OSH_SERVER_TLS_ROOT}/novnc/server.pem
+NOVA_NOVNC_KEY=${OSH_SERVER_TLS_ROOT}/novnc/server-key.pem
+NOVA_NOVNC_CSR=${OSH_SERVER_TLS_ROOT}/novnc/server-csr-novnc.json
+
+PLACEMENT_CRT=${OSH_SERVER_TLS_ROOT}/placement/server.pem
+PLACEMENT_KEY=${OSH_SERVER_TLS_ROOT}/placement/server-key.pem
+PLACEMENT_CSR=${OSH_SERVER_TLS_ROOT}/placement/server-csr-placement.json
+
+NEUTRON_SERVER_CRT=${OSH_SERVER_TLS_ROOT}/neutron/server.pem
+NEUTRON_SERVER_KEY=${OSH_SERVER_TLS_ROOT}/neutron/server-key.pem
+NEUTRON_SERVER_CSR=${OSH_SERVER_TLS_ROOT}/neutron/server-csr-neutron.json
+
+BARBICAN_API_CRT=${OSH_SERVER_TLS_ROOT}/barbican/server.pem
+BARBICAN_API_KEY=${OSH_SERVER_TLS_ROOT}/barbican/server-key.pem
+BARBICAN_API_CSR=${OSH_SERVER_TLS_ROOT}/barbican/server-csr-barbican.json
+
+tee /tmp/tls-endpoints.yaml << EOF
+endpoints:
+  object_store:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${SWIFT_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${SWIFT_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${SWIFT_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  identity:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${KEYSTONE_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${KEYSTONE_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${KEYSTONE_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  orchestration:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HEAT_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HEAT_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HEAT_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  cloudformation:
+    scheme:
+      public: https
+    port:
+      cfn:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HEAT_CFN_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HEAT_CFN_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HEAT_CFN_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  dashboard:
+    scheme:
+      public: https
+    port:
+      web:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${HORIZON_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${HORIZON_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${HORIZON_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  image:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${GLANCE_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${GLANCE_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${GLANCE_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volume:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volumev2:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  volumev3:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${CINDER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${CINDER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${CINDER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  compute:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NOVA_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NOVA_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NOVA_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  compute_novnc_proxy:
+    scheme:
+      public: https
+    port:
+      novnc_proxy:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NOVA_NOVNC_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NOVA_NOVNC_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NOVA_NOVNC_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  placement:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${PLACEMENT_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${PLACEMENT_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${PLACEMENT_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${PLACEMENT_ROOT}/ca.pem | sed 's/^/            /')
+  network:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${NEUTRON_SERVER_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${NEUTRON_SERVER_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${NEUTRON_SERVER_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+  key_manager:
+    scheme:
+      public: https
+    port:
+      api:
+        public: 443
+    host_fqdn_override:
+      public:
+        host: "$(cat "${BARBICAN_API_CSR}" | jq -r '.CN')"
+        tls:
+          crt: |
+$(cat ${BARBICAN_API_CRT} | sed 's/^/            /')
+          key: |
+$(cat ${BARBICAN_API_KEY} | sed 's/^/            /')
+          ca: |
+$(cat ${OSH_CA_ROOT}/ca.pem | sed 's/^/            /')
+EOF
+
+export OSH_EXTRA_HELM_ARGS="--values=/tmp/tls-endpoints.yaml"