Comment 5 for bug 1898032

Not quite. The scenario is:

1) Deploy with vault relations
2) Issue certificates via vault
[some time later customer decides to use different ssl certs on Horizon]
3) Add certificates, provided by customer via ssl_* config option to openstack-dashboard
4) Re-issue vault root certificate
5) Openstack-dashboard now doesn't trust new root CA from vault, only has the CA from ssl_ca config option and can't access keystone endpoints, as keystone doesn't have custom ssl_* installed, only vault issued certificates.

When vault re-issues certificates and openstack-dashboard has a custom ssl_ca assigned the charm should combine the new vault certificates via the relation with the configured ssl_ca, otherwise the communication to keystone will stop.