In certmonger 0.75.13 you can use local-getcert and it will have a signing cert (selfsigned CA cert). This allows us to replace the keystone-manage ssl_swetup and pki_setup with certmonger calls. This should be the plan moving forward, with Certmonger/Barbican integration a short term target.