diff --git a/manifests/compute.pp b/manifests/compute.pp
index de2b983..a9ec4bf 100644
--- a/manifests/compute.pp
+++ b/manifests/compute.pp
@@ -2,11 +2,18 @@ class infracloud::compute(
   $nova_rabbit_password,
   $neutron_rabbit_password,
   $neutron_admin_password,
+  $ssl_cert_file_contents = undef, #TODO: make required
   $br_name,
   $controller_public_address,
   $controller_management_address,
 ) {
 
+  ### Certificate Chain ###
+
+  class { '::infracloud::cacert':
+    cacert_content => $ssl_cert_file_contents,
+  }
+
   ### Networking ###
 
   class {'::infracloud::veth':
diff --git a/manifests/controller.pp b/manifests/controller.pp
index 15e67b0..082d0a3 100644
--- a/manifests/controller.pp
+++ b/manifests/controller.pp
@@ -14,31 +14,32 @@ class infracloud::controller(
   $neutron_admin_password,
   $nova_admin_password,
   $keystone_admin_token,
-  $ssl_chain_file_contents,
-  $keystone_ssl_key_file_contents,
-  $keystone_ssl_cert_file_contents,
-  $neutron_ssl_key_file_contents,
-  $neutron_ssl_cert_file_contents,
-  $glance_ssl_key_file_contents,
-  $glance_ssl_cert_file_contents,
-  $nova_ssl_key_file_contents,
-  $nova_ssl_cert_file_contents,
   $br_name,
   $controller_management_address,
   $controller_public_address = $::fqdn,
+  $ssl_key_file_contents = undef, # TODO(crinkle): make required
+  $ssl_cert_file_contents = undef, # TODO(crinkle): make required
+  # Non-functional parameters
+  # TODO(crinkle): remove
+  $ssl_chain_file_contents = undef,
+  $keystone_ssl_key_file_contents = undef,
+  $keystone_ssl_cert_file_contents = undef,
+  $neutron_ssl_key_file_contents = undef,
+  $neutron_ssl_cert_file_contents = undef,
+  $glance_ssl_key_file_contents = undef,
+  $glance_ssl_cert_file_contents = undef,
+  $nova_ssl_key_file_contents = undef,
+  $nova_ssl_cert_file_contents = undef,
 ) {
 
   $keystone_auth_uri = "https://${controller_public_address}:5000"
   $keystone_admin_uri = "https://${controller_public_address}:35357"
+  $ssl_cert_path = '/etc/ssl/certs/openstack_infra_ca.pem'
 
   ### Certificate Chain ###
 
-  # This chain file needs to sign every other cert
-  $ssl_chain_path = "/etc/ssl/certs/${controller_public_address}-ca.pem"
-  file { $ssl_chain_path:
-    ensure  => present,
-    content => $ssl_chain_file_contents,
-    mode    => '0644',
+  class { '::infracloud::cacert':
+    cacert_content => $ssl_cert_file_contents,
   }
 
   ### Networking ###
@@ -115,20 +116,18 @@ class infracloud::controller(
   include ::apache
 
   $keystone_ssl_key_path = "/etc/ssl/private/${controller_public_address}-keystone.pem"
-  $keystone_ssl_cert_path = "/etc/ssl/certs/${controller_public_address}-keystone.pem"
 
   # keystone vhost
   class { '::keystone::wsgi::apache':
     ssl_key   => $keystone_ssl_key_path,
-    ssl_cert  => $keystone_ssl_cert_path,
-    ssl_chain => $ssl_chain_path,
+    ssl_cert  => $ssl_cert_path,
+    subscribe => Class['::infracloud::cacert'],
   }
 
-  infracloud::ssl { 'keystone':
-    key_content  => $keystone_ssl_key_file_contents,
-    cert_content => $keystone_ssl_cert_file_contents,
-    key_path     => $keystone_ssl_key_path,
-    cert_path    => $keystone_ssl_cert_path,
+  infracloud::ssl_key { 'keystone':
+    key_content => $ssl_key_file_contents,
+    key_path    => $keystone_ssl_key_path,
+    notify      => Service['httpd'],
   }
 
   ### Glance ###
@@ -145,14 +144,14 @@ class infracloud::controller(
     keystone_password   => $glance_admin_password,
     auth_uri            => $keystone_auth_uri,
     identity_uri        => $keystone_admin_uri,
-    cert_file           => "/etc/glance/ssl/certs/${controller_public_address}.pem",
+    cert_file           => $ssl_cert_path,
     key_file            => "/etc/glance/ssl/private/${controller_public_address}.pem",
+    subscribe           => Class['::infracloud::cacert'],
   }
 
-  infracloud::ssl { 'glance':
-    key_content  => $glance_ssl_key_file_contents,
-    cert_content => $glance_ssl_cert_file_contents,
-    before       => Service['glance-api'],
+  infracloud::ssl_key { 'glance':
+    key_content => $ssl_key_file_contents,
+    notify      => Service['glance-api'],
   }
 
   # glance-registry.conf
@@ -198,15 +197,15 @@ class infracloud::controller(
     rabbit_password => $neutron_rabbit_password,
     rabbit_host     => $controller_management_address,
     use_ssl         => true,
-    cert_file       => "/etc/neutron/ssl/certs/${controller_public_address}.pem",
+    cert_file       => $ssl_cert_path,
     key_file        => "/etc/neutron/ssl/private/${controller_public_address}.pem",
+    subscribe       => Class['::infracloud::cacert'],
   }
 
-  infracloud::ssl { 'neutron':
-    key_content  => $neutron_ssl_key_file_contents,
-    cert_content => $neutron_ssl_cert_file_contents,
-    before       => Service['neutron-server'],
-    require      => Package['neutron'],
+  infracloud::ssl_key { 'neutron':
+    key_content => $ssl_key_file_contents,
+    notify      => Service['neutron-server'],
+    require     => Package['neutron'],
   }
 
   # keystone user, role, service, endpoints for neutron service
@@ -302,14 +301,14 @@ class infracloud::controller(
     rabbit_host         => $controller_management_address,
     glance_api_servers  => "https://${controller_public_address}:9292",
     use_ssl             => true,
-    cert_file           => "/etc/nova/ssl/certs/${controller_public_address}.pem",
+    cert_file           => $ssl_cert_path,
     key_file            => "/etc/nova/ssl/private/${controller_public_address}.pem",
+    subscribe           => Class['::infracloud::cacert'],
   }
-  infracloud::ssl { 'nova':
-    key_content  => $nova_ssl_key_file_contents,
-    cert_content => $nova_ssl_cert_file_contents,
-    before       => Service['nova-api'],
-    require      => Class['::nova'],
+  infracloud::ssl_key { 'nova':
+    key_content => $ssl_key_file_contents,
+    notify      => Service['nova-api'],
+    require     => Class['::nova'],
   }
 
   # keystone user, role, service, endpoints for nova service
diff --git a/manifests/ssl.pp b/manifests/ssl_key.pp
similarity index 56%
rename from manifests/ssl.pp
rename to manifests/ssl_key.pp
index 4bcbdb3..3325bd9 100644
--- a/manifests/ssl.pp
+++ b/manifests/ssl_key.pp
@@ -1,23 +1,16 @@
-define infracloud::ssl(
+define infracloud::ssl_key(
   $key_content,
-  $cert_content,
   $key_path = undef,
-  $cert_path = undef,
 ) {
   if $key_path == undef {
     $_key_path  = "/etc/${name}/ssl/private/${::fqdn}.pem"
   } else {
     $_key_path = $key_path
   }
-  if $cert_path == undef {
-    $_cert_path = "/etc/${name}/ssl/certs/${::fqdn}.pem"
-  } else {
-    $_cert_path = $cert_path
-  }
 
   # If the user isn't providing an unexpected path, create the directory
   # structure.
-  if $key_path == undef and $cert_path == undef {
+  if $key_path == undef {
     file { "/etc/${name}/ssl":
       ensure => directory,
       owner  => $name,
@@ -30,13 +23,6 @@ define infracloud::ssl(
       require => File["/etc/${name}/ssl"],
       before  => File[$_key_path]
     }
-    file { "/etc/${name}/ssl/certs":
-      ensure  => directory,
-      owner   => $name,
-      mode    => '0750',
-      require => File["/etc/${name}/ssl"],
-      before  => File[$_cert_path],
-    }
   }
 
   file { $_key_path:
@@ -45,9 +31,4 @@ define infracloud::ssl(
     owner   => $name,
     mode    => '0600',
   }
-  file { $_cert_path:
-    ensure  => present,
-    content => $cert_content,
-    mode    => '0644',
-  }
 }