diff --git a/magnum/templates/kubernetes/fragments/make-cert.sh b/magnum/templates/kubernetes/fragments/make-cert.sh
index 56780dc17b..fa43480ec1 100644
--- a/magnum/templates/kubernetes/fragments/make-cert.sh
+++ b/magnum/templates/kubernetes/fragments/make-cert.sh
@@ -25,7 +25,7 @@ if [ "$TLS_DISABLED" == "True" ]; then
 fi
 
 cert_ip=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4)
-sans="IP:${cert_ip},IP:${KUBE_API_PRIVATE_ADDRESS},IP:127.0.0.1"
+sans="IP:${cert_ip},IP:${KUBE_API_PUBLIC_ADDRESS},IP:${KUBE_API_PRIVATE_ADDRESS},IP:127.0.0.1"
 MASTER_HOSTNAME=${MASTER_HOSTNAME:-}
 if [[ -n "${MASTER_HOSTNAME}" ]]; then
   sans="${sans},DNS:${MASTER_HOSTNAME}"
diff --git a/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
index 82e267cd28..5ab96f76e2 100644
--- a/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
+++ b/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml
@@ -5,6 +5,7 @@ write_files:
     owner: "root:root"
     permissions: "0644"
     content: |
+      KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS"
       KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS"
       KUBE_API_PORT="$KUBE_API_PORT"
       KUBE_NODE_IP="$KUBE_NODE_IP"
diff --git a/magnum/templates/kubernetes/kubemaster.yaml b/magnum/templates/kubernetes/kubemaster.yaml
index c5dc5841d1..4a51714263 100644
--- a/magnum/templates/kubernetes/kubemaster.yaml
+++ b/magnum/templates/kubernetes/kubemaster.yaml
@@ -196,6 +196,7 @@ resources:
         str_replace:
           template: {get_file: fragments/write-heat-params-master.yaml}
           params:
+            "$KUBE_API_PUBLIC_ADDRESS": {get_param: api_public_address}
             "$KUBE_API_PRIVATE_ADDRESS": {get_param: api_private_address}
             "$KUBE_API_PORT": {get_param: kubernetes_port}
             "$KUBE_NODE_IP": {get_attr: [kube_master_eth0, fixed_ips, 0, ip_address]}