diff --git a/templates/queens/keystone.conf b/templates/queens/keystone.conf
new file mode 100644
index 00000000..8683b279
--- /dev/null
+++ b/templates/queens/keystone.conf
@@ -0,0 +1,131 @@
+# ocata
+###############################################################################
+# [ WARNING ]
+# Configuration file maintained by Juju. Local changes may be overwritten.
+###############################################################################
+[DEFAULT]
+admin_token = {{ token }}
+use_syslog = {{ use_syslog }}
+log_config_append = {{ log_config }}
+debug = {{ debug }}
+public_endpoint = {{ public_endpoint }}
+admin_endpoint = {{ admin_endpoint }}
+
+[database]
+{% if database_host -%}
+connection = {{ database_type }}://{{ database_user }}:{{ database_password }}@{{ database_host }}/{{ database }}{% if database_ssl_ca %}?ssl_ca={{ database_ssl_ca }}{% if database_ssl_cert %}&ssl_cert={{ database_ssl_cert }}&ssl_key={{ database_ssl_key }}{% endif %}{% endif %}
+{% else -%}
+connection = sqlite:////var/lib/keystone/keystone.db
+{% endif -%}
+connection_recycle_time = 200
+
+[identity]
+driver = {{ identity_backend }}
+{% if default_domain_id -%}
+default_domain_id = {{ default_domain_id }}
+{% endif -%}
+
+{% if api_version == 3 -%}
+domain_specific_drivers_enabled = True
+domain_config_dir = {{ domain_config_dir }}
+{% endif -%}
+
+[credential]
+driver = sql
+
+[trust]
+driver = sql
+
+[os_inherit]
+
+[catalog]
+driver = sql
+
+[endpoint_filter]
+
+[token]
+{% if token_provider == 'fernet' -%}
+provider = fernet
+{% else -%}
+driver = sql
+provider = uuid
+{% endif -%}
+expiration = {{ token_expiration }}
+
+{% if token_provider == 'fernet' -%}
+[fernet_tokens]
+max_active_keys = {{ fernet_max_active_keys }}
+{% endif -%}
+
+{% include "parts/section-signing" %}
+
+{% include "section-oslo-cache" %}
+
+[policy]
+driver = sql
+
+[assignment]
+driver = {{ assignment_backend }}
+
+[oauth1]
+
+{% if middlewares -%}
+{% include "parts/section-middleware" %}
+{% else %}
+[auth]
+methods = external,password,token,oauth1,mapped,openid,totp,application_credential
+password = keystone.auth.plugins.password.Password
+token = keystone.auth.plugins.token.Token
+oauth1 = keystone.auth.plugins.oauth1.OAuth
+{% endif %}
+
+[paste_deploy]
+config_file = {{ paste_config_file }}
+
+[extra_headers]
+Distribution = Ubuntu
+
+[ldap]
+{% if identity_backend == 'ldap' -%}
+url = {{ ldap_server }}
+user = {{ ldap_user }}
+password = {{ ldap_password }}
+suffix = {{ ldap_suffix }}
+
+{% if ldap_config_flags -%}
+{% for key, value in ldap_config_flags.items() -%}
+{{ key }} = {{ value }}
+{% endfor -%}
+{% endif -%}
+
+{% if ldap_readonly -%}
+user_allow_create = False
+user_allow_update = False
+user_allow_delete = False
+
+tenant_allow_create = False
+tenant_allow_update = False
+tenant_allow_delete = False
+
+role_allow_create = False
+role_allow_update = False
+role_allow_delete = False
+
+group_allow_create = False
+group_allow_update = False
+group_allow_delete = False
+{% endif -%}
+{% endif -%}
+
+{% if api_version == 3 -%}
+[resource]
+admin_project_domain_name = {{ admin_domain_name }}
+admin_project_name = admin
+{% endif -%}
+
+{% include "parts/section-federation" %}
+
+{% include "section-oslo-middleware" %}
+# This goes in the section above, selectively
+# Bug #1819134
+max_request_body_size = 114688
diff --git a/templates/rocky/keystone.conf b/templates/rocky/keystone.conf
index 4abcb2b6..2943a980 100644
--- a/templates/rocky/keystone.conf
+++ b/templates/rocky/keystone.conf
@@ -58,7 +58,7 @@ driver = sql
 driver = {{ assignment_backend }}
 
 [auth]
-methods = external,password,token,oauth1,mapped,openid,totp
+methods = external,password,token,oauth1,mapped,openid,totp,application_credential
 
 [paste_deploy]
 config_file = {{ paste_config_file }}
@@ -109,4 +109,4 @@ admin_project_name = admin
 {% include "section-oslo-middleware" %}
 # This goes in the section above, selectively
 # Bug #1819134
-max_request_body_size = 114688
\ No newline at end of file
+max_request_body_size = 114688