diff --git a/examples/pki/gen_pki.sh b/examples/pki/gen_pki.sh
index 85369d29f..655502659 100755
--- a/examples/pki/gen_pki.sh
+++ b/examples/pki/gen_pki.sh
@@ -24,21 +24,21 @@ CMS_DIR=$CURRENT_DIR/cms
 
 
 function rm_old {
-  rm -rf $CERTS_DIR/*.pem
-  rm -rf $PRIVATE_DIR/*.pem
+    rm -rf $CERTS_DIR/*.pem
+    rm -rf $PRIVATE_DIR/*.pem
 }
 
 function cleanup {
-  rm -rf *.conf > /dev/null 2>&1
-  rm -rf index* > /dev/null 2>&1
-  rm -rf *.crt > /dev/null 2>&1
-  rm -rf newcerts > /dev/null 2>&1
-  rm -rf *.pem > /dev/null 2>&1
-  rm -rf serial* > /dev/null 2>&1
+    rm -rf *.conf > /dev/null 2>&1
+    rm -rf index* > /dev/null 2>&1
+    rm -rf *.crt > /dev/null 2>&1
+    rm -rf newcerts > /dev/null 2>&1
+    rm -rf *.pem > /dev/null 2>&1
+    rm -rf serial* > /dev/null 2>&1
 }
 
 function generate_ca_conf {
-  echo '
+    echo '
 [ req ]
 default_bits            = 2048
 default_keyfile         = cakey.pem
@@ -65,7 +65,7 @@ basicConstraints        = critical,CA:true
 }
 
 function generate_ssl_req_conf {
-  echo '
+    echo '
 [ req ]
 default_bits            = 2048
 default_keyfile         = keystonekey.pem
@@ -86,7 +86,7 @@ emailAddress            = keystone@openstack.org
 }
 
 function generate_cms_signing_req_conf {
-  echo '
+    echo '
 [ req ]
 default_bits            = 2048
 default_keyfile         = keystonekey.pem
@@ -107,7 +107,7 @@ emailAddress            = keystone@openstack.org
 }
 
 function generate_signing_conf {
-  echo '
+    echo '
 [ ca ]
 default_ca      = signing_ca
 
@@ -138,75 +138,74 @@ commonName              = supplied
 }
 
 function setup {
-  touch index.txt
-  echo '10' > serial
-  generate_ca_conf
-  mkdir newcerts
+    touch index.txt
+    echo '10' > serial
+    generate_ca_conf
+    mkdir newcerts
 }
 
 function check_error {
-  if [ $1 != 0 ] ; then
-    echo "Failed! rc=${1}"
-    echo 'Bailing ...'
-    cleanup
-    exit $1
-  else
-    echo 'Done'
-  fi
+    if [ $1 != 0 ] ; then
+        echo "Failed! rc=${1}"
+        echo 'Bailing ...'
+        cleanup
+        exit $1
+    else
+        echo 'Done'
+    fi
 }
 
 function generate_ca {
-  echo 'Generating New CA Certificate ...'
-  openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
-  check_error $?
+    echo 'Generating New CA Certificate ...'
+    openssl req -x509 -newkey rsa:2048 -days 21360 -out $CERTS_DIR/cacert.pem -keyout $PRIVATE_DIR/cakey.pem -outform PEM -config ca.conf -nodes
+    check_error $?
 }
 
 function ssl_cert_req {
-  echo 'Generating SSL Certificate Request ...'
-  generate_ssl_req_conf
-  openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
-  check_error $?
-  #openssl req -in req.pem -text -noout
+    echo 'Generating SSL Certificate Request ...'
+    generate_ssl_req_conf
+    openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/ssl_key.pem -keyform PEM -out ssl_req.pem -outform PEM -config ssl_req.conf -nodes
+    check_error $?
+    #openssl req -in req.pem -text -noout
 }
 
 function cms_signing_cert_req {
-  echo 'Generating CMS Signing Certificate Request ...'
-  generate_cms_signing_req_conf
-  openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
-  check_error $?
-  #openssl req -in req.pem -text -noout
+    echo 'Generating CMS Signing Certificate Request ...'
+    generate_cms_signing_req_conf
+    openssl req -newkey rsa:2048 -keyout $PRIVATE_DIR/signing_key.pem -keyform PEM -out cms_signing_req.pem -outform PEM -config cms_signing_req.conf -nodes
+    check_error $?
+    #openssl req -in req.pem -text -noout
 }
 
 function issue_certs {
-  generate_signing_conf
-  echo 'Issuing SSL Certificate ...'
-  openssl ca -in ssl_req.pem -config signing.conf -batch
-  check_error $?
-  openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem
-  check_error $?
-  echo 'Issuing CMS Signing Certificate ...'
-  openssl ca -in cms_signing_req.pem -config signing.conf -batch
-  check_error $?
-  openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem
-  check_error $?
+    generate_signing_conf
+    echo 'Issuing SSL Certificate ...'
+    openssl ca -in ssl_req.pem -config signing.conf -batch
+    check_error $?
+    openssl x509 -in $CURRENT_DIR/newcerts/10.pem -out $CERTS_DIR/ssl_cert.pem
+    check_error $?
+    echo 'Issuing CMS Signing Certificate ...'
+    openssl ca -in cms_signing_req.pem -config signing.conf -batch
+    check_error $?
+    openssl x509 -in $CURRENT_DIR/newcerts/11.pem -out $CERTS_DIR/signing_cert.pem
+    check_error $?
 }
 
 function create_middleware_cert {
-  cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem
-  cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem
+    cp $CERTS_DIR/ssl_cert.pem $CERTS_DIR/middleware.pem
+    cat $PRIVATE_DIR/ssl_key.pem >> $CERTS_DIR/middleware.pem
 }
 
 function check_openssl {
-  echo 'Checking openssl availability ...'
-  which openssl
-  check_error $?
+    echo 'Checking openssl availability ...'
+    which openssl
+    check_error $?
 }
 
 function gen_sample_cms {
-  for json_file in "${CMS_DIR}/auth_token_revoked.json" "${CMS_DIR}/auth_token_unscoped.json" "${CMS_DIR}/auth_token_scoped.json" "${CMS_DIR}/revocation_list.json"
-  do
-    openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem}
-  done
+    for json_file in "${CMS_DIR}/auth_token_revoked.json" "${CMS_DIR}/auth_token_unscoped.json" "${CMS_DIR}/auth_token_scoped.json" "${CMS_DIR}/revocation_list.json"; do
+        openssl cms -sign -in $json_file -nosmimecap -signer $CERTS_DIR/signing_cert.pem -inkey $PRIVATE_DIR/signing_key.pem -outform PEM -nodetach -nocerts -noattr -out ${json_file/.json/.pem}
+    done
 }
 
 check_openssl
diff --git a/test-requirements.txt b/test-requirements.txt
index 3e061ae1f..c666c2871 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -1,4 +1,5 @@
 hacking>=0.8.0,<0.9
+bash8
 
 # Optional backend: SQL
 pysqlite
diff --git a/tools/debug_helper.sh b/tools/debug_helper.sh
index 64088f528..e373cce94 100755
--- a/tools/debug_helper.sh
+++ b/tools/debug_helper.sh
@@ -8,8 +8,7 @@ TESTS_TO_RUN=$TMP_DIR/ks_to_run
 
 python -m testtools.run discover -t ./ ./keystone/tests --list > $ALL_TESTS
 
-if [ "$1" ]
-then
+if [ "$1" ]; then
     grep "$1" < $ALL_TESTS > $TESTS_TO_RUN
 else
     mv $ALL_TESTS $TESTS_TO_RUN
diff --git a/tox.ini b/tox.ini
index 5a5e370a6..0c3709a76 100644
--- a/tox.ini
+++ b/tox.ini
@@ -40,6 +40,11 @@ commands =
   bash -c "find keystone -type f -regex '.*\.pot*' -print0| \
            xargs -0 -n 1 msgfmt --check-format -o /dev/null"
 
+[testenv:bash8]
+envdir = {toxworkdir}/venv
+commands =
+  bash8 examples/pki/gen_pki.sh tools/debug_helper.sh
+
 [tox:jenkins]
 downloadcache = ~/cache/pip