Comment 14 for bug 1754682

OK so to confirm:

    # generate or get a new cert/key for service if set to manage certs.
    https_service_endpoints = config('https-service-endpoints')
    if https_service_endpoints and bool_from_string(https_service_endpoints):

is the code snippet from keystone - if this config option is enabled, keystone will act as a CA and generate certs and keys for all endpoints presented over relations - you *don't* want this to happen in a production cloud where certs, keys and ca's are presented via the ssl_* configuration options.