diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5c3ea6c..2625205 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,10 @@
 # CHANGELOG for cookbook-openstack-identity
 This file is used to list changes made in each version of cookbook-openstack-identity.
 
+## 9.3.1
+* Add support for a templated keystone-paste.ini
+  as well as support misc_paste options inserted
+
 ## 9.3.0
 * python_packages database client attributes have been migrated to the -common cookbook
 
diff --git a/attributes/default.rb b/attributes/default.rb
index 19972f0..b67fe9f 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -36,8 +36,16 @@ default['openstack']['identity']['verbose'] = 'False'
 default['openstack']['identity']['debug'] = 'False'
 
 # Specify a location to retrieve keystone-paste.ini from
+# which can either be a remote url using http:// or a
+# local path to a file using file:// which would generally
+# be a distribution file - if this option is left nil then
+# the templated version distributed with this cookbook
+# will be used (keystone-paste.ini.erb)
 default['openstack']['identity']['pastefile_url'] = nil
 
+# array of lines to add to templated version of keystone-paste.ini
+default['openstack']['identity']['misc_paste'] = []
+
 default['openstack']['identity']['region'] = node['openstack']['region']
 default['openstack']['identity']['token']['expiration'] = '86400'
 
diff --git a/metadata.rb b/metadata.rb
index 4105abb..406eeec 100644
--- a/metadata.rb
+++ b/metadata.rb
@@ -4,7 +4,7 @@ maintainer_email 'matt@opscode.com'
 license          'Apache 2.0'
 description      'The OpenStack Identity service Keystone.'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '9.3.0'
+version          '9.3.1'
 
 recipe           'openstack-identity::client', 'Install packages required for keystone client'
 recipe           'openstack-identity::server', 'Installs and Configures Keystone Service'
diff --git a/recipes/server.rb b/recipes/server.rb
index 87551c5..0f8f651 100644
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -179,6 +179,7 @@ admin_endpoint = "#{ae.scheme}://#{ae.host}:#{ae.port}/"
 # /etc/keystone/keystone-paste.ini is not packaged.
 if node['openstack']['identity']['pastefile_url']
   remote_file '/etc/keystone/keystone-paste.ini' do
+    action   :create_if_missing
     source   node['openstack']['identity']['pastefile_url']
     owner    node['openstack']['identity']['user']
     group    node['openstack']['identity']['group']
@@ -186,14 +187,12 @@ if node['openstack']['identity']['pastefile_url']
     notifies :restart, 'service[keystone]', :delayed
   end
 else
-  remote_file '/etc/keystone/keystone-paste.ini' do
-    source   'file:////usr/share/keystone/keystone-dist-paste.ini'
-    action   :create_if_missing
-    owner    node['openstack']['identity']['user']
-    group    node['openstack']['identity']['group']
-    mode     00644
+  template '/etc/keystone/keystone-paste.ini' do
+    source 'keystone-paste.ini.erb'
+    owner node['openstack']['identity']['user']
+    group node['openstack']['identity']['group']
+    mode   00644
     notifies :restart, 'service[keystone]', :delayed
-    only_if  { platform_family?('rhel') }
   end
 end
 
diff --git a/spec/server-redhat_spec.rb b/spec/server-redhat_spec.rb
index b983164..ed5d5b3 100644
--- a/spec/server-redhat_spec.rb
+++ b/spec/server-redhat_spec.rb
@@ -46,12 +46,13 @@ describe 'openstack-identity::server' do
     end
 
     describe 'keystone-paste.ini' do
+      before { node.set['openstack']['identity']['pastefile_url'] = 'file:///usr/share/keystone/keystone-dist-paste.ini' }
       paste_file = '/etc/keystone/keystone-paste.ini'
-
       let(:file_resource) { chef_run.remote_file(paste_file) }
 
-      it 'copies in keystone-dist-paste.ini when keystone-paste remote not specified ' do
+      it 'copies local keystone-dist-paste.ini when keystone-paste pastefile_url is specified' do
         expect(chef_run).to create_remote_file_if_missing(paste_file).with(
+          source: 'file:///usr/share/keystone/keystone-dist-paste.ini',
           user: 'keystone',
           group: 'keystone',
           mode: 00644)
diff --git a/spec/server_spec.rb b/spec/server_spec.rb
index 3b96c59..3de96d4 100644
--- a/spec/server_spec.rb
+++ b/spec/server_spec.rb
@@ -703,27 +703,41 @@ describe 'openstack-identity::server' do
       end
     end
 
-    describe 'keystone-paste.ini' do
+    describe 'keystone-paste.ini as template' do
 
-      it 'does not manage keystone-paste unless specified' do
-        expect(chef_run).not_to create_remote_file('/etc/keystone/keystone-paste.ini')
+      let(:path) { '/etc/keystone/keystone-paste.ini' }
+      let(:template) { chef_run.template(path) }
+
+      it 'has proper owner' do
+        expect(template.owner).to eq('keystone')
+        expect(template.group).to eq('keystone')
       end
 
-      describe 'keystone-paste remote specified' do
-
-        before { node.set['openstack']['identity']['pastefile_url'] = 'http://server/mykeystone-paste.ini' }
-        let(:remote_paste) { chef_run.remote_file('/etc/keystone/keystone-paste.ini') }
-
-        it 'does manage keystone-paste from remote file if specified' do
-          expect(chef_run).to create_remote_file('/etc/keystone/keystone-paste.ini').with(
-            user: 'keystone',
-            group: 'keystone',
-            mode: 00644)
-          expect(remote_paste).to notify('service[keystone]').to(:restart)
-        end
+      it 'has proper modes' do
+        expect(sprintf('%o', template.mode)).to eq('644')
       end
 
+      it 'template misc_paste array correctly' do
+        node.set['openstack']['identity']['misc_paste'] = ['MISC1=OPTION1', 'MISC2=OPTION2']
+        expect(chef_run).to render_file(path).with_content(
+          /^MISC1=OPTION1$/)
+        expect(chef_run).to render_file(path).with_content(
+          /^MISC2=OPTION2$/)
+      end
     end
 
+    describe 'keystone-paste.ini as remote file' do
+      before { node.set['openstack']['identity']['pastefile_url'] = 'http://server/mykeystone-paste.ini' }
+      let(:remote_paste) { chef_run.remote_file('/etc/keystone/keystone-paste.ini') }
+
+      it 'uses a remote file if pastefile_url is specified' do
+        expect(chef_run).to create_remote_file_if_missing('/etc/keystone/keystone-paste.ini').with(
+          source: 'http://server/mykeystone-paste.ini',
+          user: 'keystone',
+          group: 'keystone',
+          mode: 00644)
+        expect(remote_paste).to notify('service[keystone]').to(:restart)
+      end
+    end
   end
 end
diff --git a/templates/default/keystone-paste.ini.erb b/templates/default/keystone-paste.ini.erb
new file mode 100644
index 0000000..e1ed44b
--- /dev/null
+++ b/templates/default/keystone-paste.ini.erb
@@ -0,0 +1,100 @@
+<%= node["openstack"]["identity"]["custom_template_banner"] %>
+
+# keystone PasteDeploy configuration file.
+
+[filter:debug]
+paste.filter_factory = keystone.common.wsgi:Debug.factory
+
+[filter:token_auth]
+paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
+
+[filter:admin_token_auth]
+paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
+
+[filter:xml_body]
+paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
+
+[filter:json_body]
+paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
+
+[filter:user_crud_extension]
+paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
+
+[filter:crud_extension]
+paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
+
+[filter:ec2_extension]
+paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
+
+[filter:oauth_extension]
+paste.filter_factory = keystone.contrib.oauth1.routers:OAuth1Extension.factory
+
+[filter:s3_extension]
+paste.filter_factory = keystone.contrib.s3:S3Extension.factory
+
+[filter:endpoint_filter_extension]
+paste.filter_factory = keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
+
+[filter:url_normalize]
+paste.filter_factory = keystone.middleware:NormalizingFilter.factory
+
+[filter:sizelimit]
+paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
+
+[filter:stats_monitoring]
+paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
+
+[filter:stats_reporting]
+paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
+
+[filter:access_log]
+paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
+
+[app:public_service]
+paste.app_factory = keystone.service:public_app_factory
+
+[app:service_v3]
+paste.app_factory = keystone.service:v3_app_factory
+
+[app:admin_service]
+paste.app_factory = keystone.service:admin_app_factory
+
+[pipeline:public_api]
+pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension user_crud_extension public_service
+
+[pipeline:admin_api]
+pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension crud_extension admin_service
+
+[pipeline:api_v3]
+pipeline = access_log sizelimit url_normalize token_auth admin_token_auth xml_body json_body ec2_extension s3_extension service_v3
+
+[app:public_version_service]
+paste.app_factory = keystone.service:public_version_app_factory
+
+[app:admin_version_service]
+paste.app_factory = keystone.service:admin_version_app_factory
+
+[pipeline:public_version_api]
+pipeline = access_log sizelimit url_normalize xml_body public_version_service
+
+[pipeline:admin_version_api]
+pipeline = access_log sizelimit url_normalize xml_body admin_version_service
+
+[composite:main]
+use = egg:Paste#urlmap
+/v2.0 = public_api
+/v3 = api_v3
+/ = public_version_api
+
+[composite:admin]
+use = egg:Paste#urlmap
+/v2.0 = admin_api
+/v3 = api_v3
+/ = admin_version_api
+
+<% if node["openstack"]["identity"]["misc_paste"] %>
+<% node["openstack"]["identity"]["misc_paste"].each do |m| %>
+<%= m %>
+<% end %>
+<% end %>
+