diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index fd4846c8a95fb480677b4a4bf55b3115857b6b47..3d9b7470806215a92847a629296f89080c22a3a1 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -763,8 +763,7 @@ kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_
 kolla_certificates_dir: "{{ node_config }}/certificates"
 kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
-kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
+kolla_admin_openrc_cacert: ""
 kolla_copy_ca_into_containers: "no"
 kolla_verify_tls_backend: "yes"
 haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
index 1bd54aedc6773c536f62414edd8a35cae17f005f..acb68fa57f71ec406b0b4fe26f829c4e4280e657 100644
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -64,12 +64,6 @@
         src: "{{ external_dir }}"
         dest: "{{ kolla_external_fqdn_cert }}"
         mode: "0660"
-
-    - name: Creating external CA Certificate File
-      copy:
-        src: "{{ root_dir }}/root.crt"
-        dest: "{{ kolla_external_fqdn_cacert }}"
-        mode: "0660"
   when:
     - kolla_enable_tls_external | bool
 
@@ -80,13 +74,6 @@
         dest: "{{ kolla_internal_fqdn_cert }}"
         remote_src: yes
         mode: "0660"
-
-    - name: Copy the external CA Certificate file to be the internal when internal + external are same network
-      copy:
-        src: "{{ kolla_external_fqdn_cacert }}"
-        dest: "{{ kolla_internal_fqdn_cacert }}"
-        remote_src: yes
-        mode: "0660"
   when:
     - kolla_enable_tls_external | bool
     - kolla_enable_tls_internal | bool
@@ -139,12 +126,6 @@
         mode: "0660"
         state: file
 
-    - name: Creating internal CA Certificate File
-      copy:
-        src: "{{ root_dir }}/root.crt"
-        dest: "{{ kolla_internal_fqdn_cacert }}"
-        mode: "0660"
-
     - name: Creating internal Server PEM File
       assemble:
         regexp: '.*[crt|key]'
diff --git a/ansible/roles/common/templates/admin-openrc.sh.j2 b/ansible/roles/common/templates/admin-openrc.sh.j2
index 1d7ab04ce2d055b773cddf27af14438fed18e354..d5a1d0b29cb0673fb1ed3bdba3868efc767a113b 100644
--- a/ansible/roles/common/templates/admin-openrc.sh.j2
+++ b/ansible/roles/common/templates/admin-openrc.sh.j2
@@ -18,8 +18,6 @@ export OS_MISTRAL_ENDPOINT_TYPE=internalURL
 export OS_IDENTITY_API_VERSION=3
 export OS_REGION_NAME={{ openstack_region_name }}
 export OS_AUTH_PLUGIN=password
-{% if kolla_enable_tls_internal | bool and kolla_internal_fqdn_cacert %}
-export OS_CACERT={{ kolla_internal_fqdn_cacert }}
-{% elif  kolla_enable_tls_external | bool and kolla_external_fqdn_cacert %}
-export OS_CACERT={{ kolla_external_fqdn_cacert }}
+{% if kolla_admin_openrc_cacert is not none and kolla_admin_openrc_cacert | length > 0 %}
+export OS_CACERT={{ kolla_admin_openrc_cacert }}
 {% endif %}
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index f67fa2a8ea4244fe393c0c6b24ac3bdb397f6fea..fc3a5fb7754754d75f39458458361897a118974a 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -189,8 +189,7 @@
 #kolla_certificates_dir: "{{ node_config }}/certificates"
 #kolla_external_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy.pem"
 #kolla_internal_fqdn_cert: "{{ kolla_certificates_dir }}/haproxy-internal.pem"
-#kolla_external_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy.crt"
-#kolla_internal_fqdn_cacert: "{{ kolla_certificates_dir }}/ca/haproxy-internal.crt"
+#kolla_admin_openrc_cacert: ""
 #kolla_copy_ca_into_containers: "no"
 #kolla_verify_tls_backend: "yes"
 #haproxy_backend_cacert: "{{ 'ca-certificates.crt' if kolla_base_distro in ['debian', 'ubuntu'] else 'ca-bundle.trust.crt' }}"
diff --git a/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml
index d766d72d2048e92bc7778f560323b5dd8d38b355..206c50af00ee665590d1646966fef58b5a51f22d 100644
--- a/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml
+++ b/releasenotes/notes/generate-self-signed-root-ca-bc523acab7290cfe.yaml
@@ -9,3 +9,9 @@ features:
     certificates and signs them using the root CA. If backend TLS is enabled,
     the command will generate the backend certificate and sign it with the
     root CA.
+upgrade:
+  - |
+    Replaced ``kolla_external_fqdn_cacert`` and ``kolla_internal_fqdn_cacert``
+    with ``kolla_admin_openrc_cacert``, which by default is not set.
+    ``OS_CACERT`` is now set to the value of ``kolla_admin_openrc_cacert`` in
+    the generated ``admin-openrc.sh`` file.
diff --git a/tests/templates/globals-default.j2 b/tests/templates/globals-default.j2
index 72f275101406b03790e26379a41409dc2ebb87a6..4d41ec3c4d4810cd69092c338d25d92bad3ebfc1 100644
--- a/tests/templates/globals-default.j2
+++ b/tests/templates/globals-default.j2
@@ -127,6 +127,7 @@ openstack_cacert: "/etc/ssl/certs/ca-certificates.crt"
 {% if base_distro == "centos" %}
 openstack_cacert: "/etc/pki/tls/certs/ca-bundle.crt"
 {% endif %}
+kolla_admin_openrc_cacert: "{% raw %}{{ kolla_certificates_dir }}{% endraw %}/ca/root.crt"
 {% endif %}
 
 {% if scenario == 'linuxbridge' %}