diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index c6c94284b5..f6dd7c3628 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -6,6 +6,9 @@
 # again. Persistent files allow for idempotency
 container_config_directory: "/var/lib/kolla/config_files"
 
+# The directory on the deploy host containing globals.yml.
+node_config: "{{ CONFIG_DIR | default('/etc/kolla') }}"
+
 # The directory to merge custom config files the kolla's config files
 node_custom_config: "/etc/kolla/config"
 
@@ -621,8 +624,8 @@ qdrouterd_user: "openstack"
 haproxy_user: "openstack"
 haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_vip_address else 'yes' }}"
 kolla_enable_tls_external: "no"
-kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
-kolla_external_fqdn_cacert: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
+kolla_external_fqdn_cacert: "{{ node_config }}/certificates/haproxy-ca.crt"
 
 
 ####################
diff --git a/ansible/post-deploy.yml b/ansible/post-deploy.yml
index 2e1f9ef97d..ae95aabcb6 100644
--- a/ansible/post-deploy.yml
+++ b/ansible/post-deploy.yml
@@ -5,5 +5,5 @@
   tasks:
     - template:
         src: "roles/common/templates/admin-openrc.sh.j2"
-        dest: "{{ CONFIG_DIR | default('/etc/kolla') }}/admin-openrc.sh"
+        dest: "{{ node_config }}/admin-openrc.sh"
       run_once: True
diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml
new file mode 100644
index 0000000000..a741e6a32a
--- /dev/null
+++ b/ansible/roles/certificates/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+# Directory on deploy node (localhost) in which certificates are generated.
+certificates_dir: "{{ node_config }}/certificates"
diff --git a/ansible/roles/certificates/tasks/generate.yml b/ansible/roles/certificates/tasks/generate.yml
index 3ca4809d3f..0e7db0c5a9 100644
--- a/ansible/roles/certificates/tasks/generate.yml
+++ b/ansible/roles/certificates/tasks/generate.yml
@@ -2,17 +2,15 @@
 - name: Ensuring config directories exist
   become: true
   file:
-    path: "{{ node_config_directory }}/{{ item }}"
+    path: "{{ certificates_dir }}/private"
     state: "directory"
     recurse: yes
-  with_items:
-    - "certificates/private"
 
 - name: Creating SSL configuration file
   become: true
   template:
     src: "{{ item }}.j2"
-    dest: "{{ node_config_directory }}/certificates/{{ item }}"
+    dest: "{{ certificates_dir }}/{{ item }}"
   with_items:
     - "openssl-kolla.cnf"
 
@@ -20,12 +18,12 @@
   become: true
   command: creates="{{ item }}" openssl genrsa -out {{ item }}
   with_items:
-    - "{{ node_config_directory }}/certificates/private/haproxy.key"
+    - "{{ certificates_dir }}/private/haproxy.key"
 
 - name: Setting permissions on key
   become: true
   file:
-    path: "{{ node_config_directory }}/certificates/private/haproxy.key"
+    path: "{{ certificates_dir }}/certificates/private/haproxy.key"
     mode: 0600
     state: file
 
@@ -33,23 +31,23 @@
   become: true
   command: creates="{{ item }}" openssl req -new -nodes -sha256 -x509 \
     -subj "/C=US/ST=NC/L=RTP/O=kolla/CN={{ kolla_external_fqdn }}" \
-    -config {{ node_config_directory }}/certificates/openssl-kolla.cnf \
+    -config {{ certificates_dir }}/openssl-kolla.cnf \
     -days 3650 \
     -extensions v3_req \
-    -key {{ node_config_directory }}/certificates/private/haproxy.key \
+    -key {{ certificates_dir }}/private/haproxy.key \
     -out {{ item }}
   with_items:
-    - "{{ node_config_directory }}/certificates/private/haproxy.crt"
+    - "{{ certificates_dir }}/private/haproxy.crt"
 
 - name: Creating CA Certificate File
   become: true
   copy:
-    src: "{{ node_config_directory }}/certificates/private/haproxy.crt"
-    dest: "{{ node_config_directory }}/certificates/haproxy-ca.crt"
+    src: "{{ certificates_dir }}/private/haproxy.crt"
+    dest: "{{ kolla_external_fqdn_cacert }}"
 
 - name: Creating Server PEM File
   become: true
   assemble:
-    src: "{{ node_config_directory }}/certificates/private"
-    dest: "{{ node_config_directory }}/certificates/haproxy.pem"
+    src: "{{ certificates_dir }}/private"
+    dest: "{{ kolla_external_fqdn_cert }}"
     mode: 0600
diff --git a/ansible/roles/keystone/tasks/precheck.yml b/ansible/roles/keystone/tasks/precheck.yml
index 3df21a2d4e..53c268c793 100644
--- a/ansible/roles/keystone/tasks/precheck.yml
+++ b/ansible/roles/keystone/tasks/precheck.yml
@@ -44,7 +44,7 @@
 
 - name: Checking fernet_token_expiry in globals.yml. Update fernet_token_expiry to allowed value if this task fails
   run_once: true
-  local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ CONFIG_DIR | default('/etc/kolla') }}/globals.yml"
+  local_action: command awk '/^fernet_token_expiry/ { print $2 }' "{{ node_config }}/globals.yml"
   register: result
   changed_when: false
   failed_when: result.stdout | regex_replace('(60|120|180|240|300|360|600|720|900|1200|1800|3600|7200|10800|14400|21600|28800|43200|86400|604800)', '') | search(".+")
diff --git a/ansible/roles/prechecks/tasks/service_checks.yml b/ansible/roles/prechecks/tasks/service_checks.yml
index d40d13b8da..e671ea4e2c 100644
--- a/ansible/roles/prechecks/tasks/service_checks.yml
+++ b/ansible/roles/prechecks/tasks/service_checks.yml
@@ -11,7 +11,7 @@
 # will pass, but only because nothing in the vault file has the format of a
 # YAML dict item.
 - name: Checking empty passwords in passwords.yml. Run kolla-genpwd if this task fails
-  local_action: command grep '^[^#].*:\s*$' "{{ CONFIG_DIR | default('/etc/kolla') }}/passwords.yml"
+  local_action: command grep '^[^#].*:\s*$' "{{ node_config }}/passwords.yml"
   run_once: True
   register: result
   changed_when: false
diff --git a/doc/source/admin/advanced-configuration.rst b/doc/source/admin/advanced-configuration.rst
index 501b2d8605..13d327fc99 100644
--- a/doc/source/admin/advanced-configuration.rst
+++ b/doc/source/admin/advanced-configuration.rst
@@ -92,7 +92,7 @@ The default for TLS is disabled, to enable TLS networking:
 .. code-block:: yaml
 
    kolla_enable_tls_external: "yes"
-   kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/mycert.pem"
+   kolla_external_fqdn_cert: "{{ node_config }}/certificates/mycert.pem"
 
 .. note::
 
diff --git a/etc/kolla/globals.yml b/etc/kolla/globals.yml
index 8244143758..16e4ee7cc2 100644
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@@ -151,7 +151,7 @@ kolla_internal_vip_address: "10.10.10.254"
 # TLS can be enabled.  When TLS is enabled, certificates must be provided to
 # allow clients to perform authentication.
 #kolla_enable_tls_external: "no"
-#kolla_external_fqdn_cert: "{{ node_config_directory }}/certificates/haproxy.pem"
+#kolla_external_fqdn_cert: "{{ node_config }}/certificates/haproxy.pem"
 
 
 ##############
diff --git a/releasenotes/notes/cert-path-65943386e62f1a8c.yaml b/releasenotes/notes/cert-path-65943386e62f1a8c.yaml
new file mode 100644
index 0000000000..033e74c46a
--- /dev/null
+++ b/releasenotes/notes/cert-path-65943386e62f1a8c.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    Changes the default path for certificates generated via ``kolla-ansible
+    certificates`` from ``{[ node_config_directory }}/certificates`` to
+    ``{{ node_config }}``.  ``{{ node_config }}`` is the directory containing
+    ``globals.yml``, which by default is ``/etc/kolla/``. This makes
+    certificates consistent with other locally generated files, such as
+    ``admin-openrc.sh``.