We need a way to link users and services to the X509 certificates that sign messages from them. The most immediate need is to have multiple Keystone servers with their own signing certs, but the RPC mechanism also will need PKI message signing. Please read and contribute to the Spec for the blueprint; It is really just a skeleton for now. https://blueprints.launchpad.net/keystone/+spec/x509subjects Direct link to Spec: https://wiki.openstack.org/wiki/Keystone/X509Subjects This will be served by the existing certificate API: https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3-os-simple-certs-ext.md Note that the BP makes no statements about how the certificates are signed or approved, merely how they are distributed.