diff --git a/defaults/main.yml b/defaults/main.yml
index 1c03904df..28e6bc1f4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,8 +1,8 @@
 ---
 # defaults file for ansible-role-tripleo-ssl
-local_working_dir: "{{ lookup('env', 'HOME') }}/.cat"
 working_dir: /home/stack
 ssl_overcloud: false
-ssl_undercloud: false
 
-undercloud_undercloud_public_vip: 172.16.23.110
+overcloud_public_vip: 10.0.0.5
+overcloud_ssl_cert_log: "{{working_dir}}/overcloud_create_ssl_cert.log"
+overcloud_ssl_cert_script: overcloud-create-ssl-cert.sh.j2
diff --git a/library/tls_tht.py b/library/tls_tht.py
index a1493f3dd..917eea3cf 100644
--- a/library/tls_tht.py
+++ b/library/tls_tht.py
@@ -49,6 +49,11 @@ options:
             - the CA cert pem filename
         required: false
         default: cert.pem
+    tht_release:
+        description:
+            - the tht release name
+        required: false
+        default: master
 
 
 '''
@@ -68,12 +73,13 @@ def _open_yaml(filename):
     return tmp_dict
 
 
-def create_enable_file(certpem, keypem, source_dir, dest_dir):
+def create_enable_file(certpem, keypem, source_dir, dest_dir, tht_release):
     output_dict = _open_yaml("{}environments/enable-tls.yaml".format(source_dir))
 
-    for key in output_dict["parameter_defaults"]["EndpointMap"]:
-        if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
-            output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
+    if tht_release not in ['master', 'newton']:
+        for key in output_dict["parameter_defaults"]["EndpointMap"]:
+            if output_dict["parameter_defaults"]["EndpointMap"][key]["host"] == "CLOUDNAME":
+                output_dict["parameter_defaults"]["EndpointMap"][key]["host"] = "IP_ADDRESS"
 
     output_dict["parameter_defaults"]["SSLCertificate"] = certpem
     output_dict["parameter_defaults"]["SSLKey"] = keypem
@@ -108,6 +114,7 @@ def main():
             cert_filename=dict(default="cert.pem", required=False),
             cert_ca_filename=dict(default="cert.pem", required=False),
             key_filename=dict(default="key.pem", required=False),
+            tht_release=dict(default="master", required=False),
         )
     )
 
@@ -120,8 +127,13 @@ def main():
     with open(module.params["key_filename"], "r") as stream:
         keypem = stream.read()
 
-    create_enable_file(certpem, keypem, module.params["source_dir"], module.params["dest_dir"])
-    create_anchor_file(cert_ca_pem, module.params["source_dir"], module.params["dest_dir"])
+    create_enable_file(certpem, keypem,
+                       module.params["source_dir"],
+                       module.params["dest_dir"],
+                       module.params["tht_release"])
+    create_anchor_file(cert_ca_pem,
+                       module.params["source_dir"],
+                       module.params["dest_dir"])
     module.exit_json(changed=True)
 
 
diff --git a/tasks/main.yml b/tasks/main.yml
index 6eb96607b..007108783 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,54 +1,32 @@
 ---
 # tasks file for ansible-role-tripleo-ssl
-- name: Ensure rpm requirements for ssl are installed
-  yum: name={{ item }} state=latest
-  with_items:
-    - openssl
-  when: ssl_overcloud or ssl_undercloud
+- when: ssl_overcloud
+  block:
+    - name: Ensure rpm requirements for ssl are installed
+      yum: name={{ item }} state=latest
+      with_items:
+        - openssl
 
-- name: Ensure tripleo heat template rpm requirements for ssl are installed
-  yum: name={{ item }} state=latest
-  with_items:
-    - openstack-tripleo-heat-templates
-  when: ssl_overcloud
+    - name: Ensure tripleo heat template rpm requirements for ssl are installed
+      yum: name={{ item }} state=latest
+      with_items:
+        - openstack-tripleo-heat-templates
 
-- name: create self-signed SSL cert
-  command: openssl req -x509 -nodes -newkey rsa:2048 -subj "/CN={{ undercloud_undercloud_public_vip }}" -days 3650 -keyout test-privkey.pem -out test-cacert.pem -extensions v3_ca
-  when: ssl_overcloud or ssl_undercloud
+    - name: Create overcloud-create-ssl-cert.sh
+      template:
+        src: "{{ overcloud_ssl_cert_script }}"
+        dest: "{{ working_dir }}/overcloud-create-ssl-cert.sh"
+        mode: 0755
 
-- name: Combine CA and key for HAproxy
-  shell: >
-    cat test-cacert.pem test-privkey.pem > undercloud.pem
-  when: ssl_undercloud
+    - name: Generate SSL certificates
+      shell: |
+        {{ working_dir }}/overcloud-create-ssl-cert.sh > {{ overcloud_ssl_cert_log }} 2>&1
 
-- name: Combine CA and key for HAproxy
-  sudo: yes
-  shell: >
-    mkdir /etc/pki/instack-certs;
-    cp undercloud.pem /etc/pki/instack-certs;
-    semanage fcontext -a -t etc_t "/etc/pki/instack-certs(/.*)?";
-    restorecon -R /etc/pki/instack-certs;
-  when: ssl_undercloud
-
-- name: Copy self-signed certificate
-  sudo: yes
-  shell: >
-      cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
-      update-ca-trust extract;
-  when: ssl_undercloud
-
-- name: fetch template from single remote host
-  tls_tht:
-      source_dir: "/usr/share/openstack-tripleo-heat-templates/"
-      dest_dir: "{{ working_dir }}/"
-      cert_filename: "test-cacert.pem"
-      cert_ca_filename: "test-cacert.pem"
-      key_filename: "test-privkey.pem"
-  when: ssl_overcloud
-
-- name: copy the self-signed SSL cert
-  shell: >
-      cp test-cacert.pem /etc/pki/ca-trust/source/anchors/;
-      update-ca-trust extract;
-  sudo: true
-  when: ssl_overcloud
+    - name: fetch template from single remote host
+      tls_tht:
+          source_dir: "/usr/share/openstack-tripleo-heat-templates/"
+          dest_dir: "{{ working_dir }}/"
+          cert_filename: "{{ working_dir }}/server-cert.pem"
+          cert_ca_filename: "{{ working_dir }}/overcloud-cacert.pem"
+          key_filename: "{{ working_dir }}/server-key.pem"
+          tht_release: '{{ release }}'
diff --git a/templates/overcloud-create-ssl-cert.sh.j2 b/templates/overcloud-create-ssl-cert.sh.j2
new file mode 100755
index 000000000..db23eedeb
--- /dev/null
+++ b/templates/overcloud-create-ssl-cert.sh.j2
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -eux
+
+### --start_docs
+## Generating the overcloud SSL Certificates
+## =========================================
+
+## * Generate a private key
+## ::
+
+openssl genrsa 2048 > {{ working_dir }}/overcloud-ca-privkey.pem 2> /dev/null
+
+## * Generate a self-signed CA certificate
+## ::
+
+openssl req -new -x509 -key {{ working_dir }}/overcloud-ca-privkey.pem \
+    -out {{ working_dir }}/overcloud-cacert.pem -days 365 \
+    -subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN=overcloud"
+
+## * Add the self-signed CA certificate to the undercloud's trusted certificate
+##   store.
+## ::
+
+sudo cp {{ working_dir }}/overcloud-cacert.pem /etc/pki/ca-trust/source/anchors/
+sudo update-ca-trust extract
+
+## * Generate the leaf certificate request and key that will be used for the
+##   public VIP
+## ::
+
+openssl req -newkey rsa:2048 -days 365 \
+     -nodes -keyout {{ working_dir }}/server-key.pem \
+     -out {{ working_dir }}/server-req.pem \
+     -subj "/C=US/ST=NC/L=Raleigh/O=Red Hat/OU=OOOQ/CN={{overcloud_public_vip}}"
+
+## * Process the server RSA key
+## ::
+
+openssl rsa -in {{ working_dir }}/server-key.pem \
+    -out {{ working_dir }}/server-key.pem
+
+## * Sign the leaf certificate with the CA certificate and generate
+##   the certificate
+## ::
+
+openssl x509 -req -in server-req.pem -days 365 \
+      -CA {{ working_dir }}/overcloud-cacert.pem \
+      -CAkey {{ working_dir }}/overcloud-ca-privkey.pem \
+      -set_serial 01 -out {{ working_dir }}/server-cert.pem
+
+## --stop_docs