diff --git a/ansible/inventory/group_vars/all/kolla b/ansible/inventory/group_vars/all/kolla
index 50fdb7f8a594ffa3b042ea7f9b33d72d13f23871..9efe74e476be3f99c3eed1f7646903e3074ed0c7 100644
--- a/ansible/inventory/group_vars/all/kolla
+++ b/ansible/inventory/group_vars/all/kolla
@@ -652,7 +652,7 @@ kolla_external_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_external_fqdn_cacert:
+kolla_public_openrc_cacert: "{{ kolla_external_fqdn_cacert | default }}"
 
 # Internal API certificate bundle.
 #
@@ -665,7 +665,7 @@ kolla_internal_tls_cert:
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-kolla_internal_fqdn_cacert:
+kolla_admin_openrc_cacert: "{{ kolla_internal_fqdn_cacert | default }}"
 
 ###############################################################################
 # Proxy configuration
diff --git a/ansible/roles/kolla-ansible/defaults/main.yml b/ansible/roles/kolla-ansible/defaults/main.yml
index d83d98aa8122c0c33400d3464a08cd29aa3f7f0e..e5ce22ff9b43f77c3b76e774b1a7602ff2b3c360 100644
--- a/ansible/roles/kolla-ansible/defaults/main.yml
+++ b/ansible/roles/kolla-ansible/defaults/main.yml
@@ -175,8 +175,8 @@ kolla_enable_tls_external:
 kolla_enable_tls_internal:
 kolla_external_fqdn_cert:
 kolla_internal_fqdn_cert:
-kolla_external_fqdn_cacert:
-kolla_internal_fqdn_cacert:
+kolla_public_openrc_cacert:
+kolla_admin_openrc_cacert:
 
 #############################
 # Ironic options
diff --git a/ansible/roles/kolla-ansible/templates/kolla/globals.yml b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
index 65743036e44bc8a7782ccf022237934746827483..1d833b9384f46ffb348ba142c36afa5ce1ca2b2f 100644
--- a/ansible/roles/kolla-ansible/templates/kolla/globals.yml
+++ b/ansible/roles/kolla-ansible/templates/kolla/globals.yml
@@ -191,8 +191,7 @@ kolla_external_fqdn_cert: "{{ kolla_external_fqdn_cert }}"
 {% if kolla_internal_tls_cert is not none and kolla_internal_tls_cert | length > 0 %}
 kolla_internal_fqdn_cert: "{{ kolla_internal_fqdn_cert }}"
 {% endif %}
-kolla_external_fqdn_cacert: "{{ kolla_external_fqdn_cacert }}"
-kolla_internal_fqdn_cacert: "{{ kolla_internal_fqdn_cacert }}"
+kolla_admin_openrc_cacert: "{{ kolla_admin_openrc_cacert }}"
 
 ################
 # Region options
diff --git a/ansible/roles/kolla-ansible/tests/test-extras.yml b/ansible/roles/kolla-ansible/tests/test-extras.yml
index a737e6244282e93aa448fe3b4550b41a8fd66812..8f8576a62550ce2fc598d6eae5179b770f024108 100644
--- a/ansible/roles/kolla-ansible/tests/test-extras.yml
+++ b/ansible/roles/kolla-ansible/tests/test-extras.yml
@@ -136,6 +136,7 @@
             kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
             kolla_internal_tls_cert: |
               bogus internal certificate
+            kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
             kolla_openstack_logging_debug: True
             grafana_local_admin_user_name: "grafana-admin"
             kolla_inspector_dhcp_pool_start: "1.2.3.4"
@@ -255,6 +256,7 @@
               kolla_external_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/external.pem"
               kolla_enable_tls_internal: True
               kolla_internal_fqdn_cert: "{{ temp_path }}/etc/kolla/certificates/internal.pem"
+              kolla_admin_openrc_cacert: "{{ temp_path }}/etc/kolla/certificates/ca/foo.crt"
               openstack_logging_debug: True
               grafana_admin_username: "grafana-admin"
               ironic_dnsmasq_dhcp_ranges:
diff --git a/ansible/roles/public-openrc/templates/public-openrc.sh.j2 b/ansible/roles/public-openrc/templates/public-openrc.sh.j2
index d0356e800798f1b9e2185ed2d8079575c609d0c6..1c2dd179c440f76cca45dfbd9dd568b3af273827 100644
--- a/ansible/roles/public-openrc/templates/public-openrc.sh.j2
+++ b/ansible/roles/public-openrc/templates/public-openrc.sh.j2
@@ -11,8 +11,8 @@ export OS_ENDPOINT_TYPE=publicURL
 export OS_MANILA_ENDPOINT_TYPE=publicURL
 {% elif "export OS_MISTRAL_ENDPOINT_TYPE" in line %}
 export OS_MISTRAL_ENDPOINT_TYPE=publicURL
-{% elif "export OS_CACERT" in line and kolla_external_fqdn_cacert is not none %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% elif "export OS_CACERT" in line and kolla_public_openrc_cacert is not none %}
+export OS_CACERT={{ kolla_public_openrc_cacert }}
 {% else %}
 {{ line }}
 {% endif %}
diff --git a/doc/source/configuration/reference/kolla-ansible.rst b/doc/source/configuration/reference/kolla-ansible.rst
index 559ccfc21fb66f1293f9427913b465f7c40a7f69..97bf88df53853822ff8489c482491c6a8ba4505b 100644
--- a/doc/source/configuration/reference/kolla-ansible.rst
+++ b/doc/source/configuration/reference/kolla-ansible.rst
@@ -264,10 +264,6 @@ The following variables affect TLS encryption of the public API.
     A TLS certificate bundle to use for the public API endpoints, if
     ``kolla_enable_tls_external`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_external_fqdn_cacert``
-    Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
 
 The following variables affect TLS encryption of the internal API. Currently
 this requires all Kolla images to be built with the API's root CA trusted.
@@ -278,10 +274,18 @@ this requires all Kolla images to be built with the API's root CA trusted.
     A TLS certificate bundle to use for the internal API endpoints, if
     ``kolla_enable_tls_internal`` is ``true``.  Note that this should be
     formatted as a literal style block scalar.
-``kolla_internal_fqdn_cacert``
+
+The following variables affect the generated ``admin-openrc.sh`` and
+``public-openrc.sh`` environment files.
+
+``kolla_public_openrc_cacert``
+    Path to a CA certificate file to use for the ``OS_CACERT`` environment
+    variable in the ``public-openrc.sh`` file when TLS is enabled, instead of
+    ``kolla_admin_openrc_cacert``.
+``kolla_admin_openrc_cacert``
     Path to a CA certificate file to use for the ``OS_CACERT`` environment
-    variable in openrc files when TLS is enabled, instead of Kolla Ansible's
-    default.
+    variable in the ``admin-openrc.sh`` and ``public-openrc.sh`` files when TLS
+    is enabled, instead of Kolla Ansible's default.
 
 Example: enabling TLS for the public API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -298,7 +302,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_external_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Example: enabling TLS for the internal API
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -315,7 +319,7 @@ Here is an example:
      -----BEGIN CERTIFICATE-----
      ...
      -----END CERTIFICATE-----
-   kolla_internal_fqdn_cacert: /path/to/ca/certificate/bundle
+   kolla_admin_openrc_cacert: /path/to/ca/certificate/bundle
 
 Other certificates
 ------------------
diff --git a/etc/kayobe/kolla.yml b/etc/kayobe/kolla.yml
index f879fb6cbf3e2287bea16dbe223cd2adc955088e..86661d72ab13620ac81d96a5e75c8f8c86b4f0f3 100644
--- a/etc/kayobe/kolla.yml
+++ b/etc/kayobe/kolla.yml
@@ -565,7 +565,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in public-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_external_fqdn_cacert:
+#kolla_public_openrc_cacert:
 
 # Internal API certificate bundle.
 #
@@ -578,7 +578,7 @@
 # Path to a CA certificate file to use for the OS_CACERT environment variable
 # in admin-openrc.sh file when TLS is enabled, instead of Kolla-Ansible's
 # default.
-#kolla_internal_fqdn_cacert:
+#kolla_admin_openrc_cacert:
 
 ###############################################################################
 # Proxy configuration
diff --git a/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..d892cac436cf229efcde7cdabedc4c8726937c6b
--- /dev/null
+++ b/releasenotes/notes/deprecate-fqdn-cacert-301d5a26ed7107ab.yaml
@@ -0,0 +1,13 @@
+---
+deprecates:
+  - |
+    Renames ``kolla_external_fqdn_cacert`` to ``kolla_public_openrc_cacert``
+    and ``kolla_internal_fqdn_cacert`` to ``kolla_admin_openrc_cacert``. This
+    matches the Kolla Ansible variable name and better reflects their purpose.
+    The old variable names are still supported until the end of the deprecation
+    period (2024.2 "D" series release or later).
+fixes:
+  - |
+    Fixes an issue where the Kolla Ansible variable
+    ``kolla_admin_openrc_cacert`` was not set to the value of
+    ``kolla_internal_fqdn_cacert``.