diff --git a/README.md b/README.md
index 28b2564..e085335 100644
--- a/README.md
+++ b/README.md
@@ -250,7 +250,6 @@ Attributes
 * `keystone["admin_token"]` - Admin token for bootstraping keystone server
 * `keystone["roles"]` - Array of roles to create in the keystone server
 * `keystone["users"]` - Array of users to create in the keystone server
-* `keystone["pki"]["enabled"]` - Defaults to false.  Set to true to enable PKI in `auth_token` middleware.
 
 License and Author
 ==================
diff --git a/attributes/default.rb b/attributes/default.rb
index 2ee8b3a..1b27bce 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -57,18 +57,12 @@ default["keystone"]["users"] = {
     }
 }
 
-default["keystone"]["nova"]["pki"]["enabled"] = false
-if node["keystone"]["nova"]["pki"]["enabled"]
-  node.set["keystone"]["signing"]["token_format"] = "PKI"
-else
-  node.set["keystone"]["signing"]["token_format"] = "UUID"
-end
 default["keystone"]["signing"]["certfile"] = "/etc/keystone/ssl/certs/signing_cert.pem"
 default["keystone"]["signing"]["keyfile"] = "/etc/keystone/ssl/private/signing_key.pem"
 default["keystone"]["signing"]["ca_certs"] = "/etc/keystone/ssl/certs/ca.pem"
 default["keystone"]["signing"]["key_size"] = "1024"
 default["keystone"]["signing"]["valid_days"] = "3650"
-default["keystone"]["signing"]["ca_password"] = "None"
+default["keystone"]["signing"]["ca_password"] = nil
 
 # platform defaults
 case platform
diff --git a/recipes/server.rb b/recipes/server.rb
index 10b8d8c..594af45 100644
--- a/recipes/server.rb
+++ b/recipes/server.rb
@@ -80,7 +80,7 @@ execute "keystone-manage pki_setup" do
 
   action :nothing
 
-  only_if { node["keystone"]["nova"]["pki"]["enabled"] }
+  only_if { node["openstack"]["signing"]["pki"] }
 end
 
 identity_admin_endpoint = endpoint "identity-admin"
diff --git a/templates/default/keystone.conf.erb b/templates/default/keystone.conf.erb
index 1a4be8f..e4a71f0 100644
--- a/templates/default/keystone.conf.erb
+++ b/templates/default/keystone.conf.erb
@@ -58,15 +58,17 @@ driver = keystone.policy.backends.rules.Policy
 driver = keystone.contrib.ec2.backends.sql.Ec2
 
 [signing]
-token_format = <%= node["keystone"]["signing"]["token_format"] %>
-<% if node["keystone"]["nova"]["pki"]["enabled"] -%>
+<% if node["openstack"]["signing"]["pki"] -%>
+token_format = PKI
 certfile = <%= node["keystone"]["signing"]["certfile"] %>
 keyfile = <%= node["keystone"]["signing"]["keyfile"] %>
 ca_certs = <%= node["keystone"]["signing"]["ca_certs"] %>
 key_size = <%= node["keystone"]["signing"]["key_size"] %>
 valid_days = <%= node["keystone"]["signing"]["valid_days"] %>
 ca_password = <%= node["keystone"]["signing"]["ca_password"] %>
-<% end %>
+<% else -%>
+token_format = UUID
+<% end -%>
 
 [filter:debug]
 paste.filter_factory = keystone.common.wsgi:Debug.factory