diff --git a/hooks/keystone_context.py b/hooks/keystone_context.py
index d4caa0a1..169b1bd0 100644
--- a/hooks/keystone_context.py
+++ b/hooks/keystone_context.py
@@ -94,7 +94,11 @@ class KeystoneContext(context.OSContextGenerator):
     interfaces = []
 
     def __call__(self):
-        from keystone_utils import api_port, set_admin_token
+        from keystone_utils import (
+            api_port, set_admin_token,
+            endpoint_url, resolve_address,
+            PUBLIC, ADMIN
+        )
         ctxt = {}
         ctxt['token'] = set_admin_token(config('admin-token'))
         ctxt['admin_port'] = determine_api_port(api_port('keystone-admin'))
@@ -116,4 +120,9 @@ class KeystoneContext(context.OSContextGenerator):
 
         if config('enable-pki') not in ['false', 'False', 'no', 'No']:
             ctxt['signing'] = True
+
+        ctxt['public_endpoint'] = endpoint_url(resolve_address(PUBLIC),
+                                               api_port('keystone-public'))
+        ctxt['admin_endpoint'] = endpoint_url(resolve_address(ADMIN),
+                                              api_port('keystone-admin'))
         return ctxt
diff --git a/hooks/keystone_utils.py b/hooks/keystone_utils.py
index 69b280d1..f316d11e 100644
--- a/hooks/keystone_utils.py
+++ b/hooks/keystone_utils.py
@@ -495,26 +495,21 @@ def ensure_initial_admin(config):
                                  auth_port=config("admin-port"),
                                  region=region)
 
+def endpoint_url(ip, port):
+    proto = 'http'
+    if https():
+        proto = 'https'
+    if is_ipv6(ip):
+        ip = "[{}]".format(ip)
+    return "%s://%s:%s/v2.0" % (proto, ip, port)
+
 
 def create_keystone_endpoint(public_ip, service_port,
                              internal_ip, admin_ip, auth_port, region):
-    proto = 'http'
-    if https():
-        log("Setting https keystone endpoint")
-        proto = 'https'
-
-    if is_ipv6(public_ip):
-        public_ip = "[{}]".format(public_ip)
-    if is_ipv6(internal_ip):
-        internal_ip = "[{}]".format(internal_ip)
-    if is_ipv6(admin_ip):
-        admin_ip = "[{}]".format(admin_ip)
-
-    public_url = "%s://%s:%s/v2.0" % (proto, public_ip, service_port)
-    admin_url = "%s://%s:%s/v2.0" % (proto, admin_ip, auth_port)
-    internal_url = "%s://%s:%s/v2.0" % (proto, internal_ip, service_port)
-    create_endpoint_template(region, "keystone", public_url,
-                             admin_url, internal_url)
+    create_endpoint_template(region, "keystone",
+                             endpoint_url(public_ip, service_port),
+                             endpoint_url(admin_ip, auth_port),
+                             endpoint_url(internal_ip, service_port))
 
 
 def update_user_password(username, password):
diff --git a/templates/icehouse/keystone.conf b/templates/icehouse/keystone.conf
index 4ae320ef..03482470 100644
--- a/templates/icehouse/keystone.conf
+++ b/templates/icehouse/keystone.conf
@@ -11,6 +11,8 @@ use_syslog = {{ use_syslog }}
 log_config = /etc/keystone/logging.conf
 debug = {{ debug }}
 verbose = {{ verbose }}
+public_endpoint = {{ public_endpoint }}
+admin_endpoint = {{ admin_endpoint }}
 
 [database]
 {% if database_host -%}
@@ -74,11 +76,11 @@ user = {{ ldap_user }}
 password = {{ ldap_password }}
 suffix = {{ ldap_suffix }}
 
-{% if ldap_config_flags -%} 
-{% for key, value in ldap_config_flags.iteritems() -%} 
+{% if ldap_config_flags -%}
+{% for key, value in ldap_config_flags.iteritems() -%}
 {{ key }} = {{ value }}
-{% endfor -%} 
-{% endif -%} 
+{% endfor -%}
+{% endif -%}
 
 {% if ldap_readonly -%}
 user_allow_create = False