diff --git a/doc/source/apache-httpd.rst b/doc/source/apache-httpd.rst
index 97ae36bcf9..948bd280b3 100644
--- a/doc/source/apache-httpd.rst
+++ b/doc/source/apache-httpd.rst
@@ -45,13 +45,6 @@ Update the file to match your system configuration. Note the following:
   server logs in the ``apache2`` directory and some in the ``httpd`` directory.
 * Enable TLS by supplying the correct certificates.
 
-Create the directory ``/var/www/cgi-bin/keystone/``. You can either hardlink or
-softlink the files ``main`` and ``admin`` to the file ``keystone.py`` in this
-directory. For a distribution-appropriate place, it should probably be copied
-to::
-
-    /usr/share/openstack/keystone/httpd/keystone.py
-
 Keystone's primary configuration file (``etc/keystone.conf``) and the
 PasteDeploy configuration file (``etc/keystone-paste.ini``) must be readable to
 HTTPD in one of the default locations described in :doc:`configuration`.
diff --git a/httpd/wsgi-keystone.conf b/httpd/wsgi-keystone.conf
index 314d737ae8..c2224d4247 100644
--- a/httpd/wsgi-keystone.conf
+++ b/httpd/wsgi-keystone.conf
@@ -4,7 +4,7 @@ Listen 35357
 <VirtualHost *:5000>
     WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-public
-    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
+    WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public
     WSGIApplicationGroup %{GLOBAL}
     WSGIPassAuthorization On
     <IfVersion >= 2.4>
@@ -12,12 +12,22 @@ Listen 35357
     </IfVersion>
     ErrorLog /var/log/apache2/keystone.log
     CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/local/bin>
+        <IfVersion >= 2.4>
+            Require all granted
+        </IfVersion>
+        <IfVersion < 2.4>
+            Order allow,deny
+            Allow from all
+        </IfVersion>
+    </Directory>
 </VirtualHost>
 
 <VirtualHost *:35357>
     WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
     WSGIProcessGroup keystone-admin
-    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
+    WSGIScriptAlias / /usr/local/bin/keystone-wsgi-admin
     WSGIApplicationGroup %{GLOBAL}
     WSGIPassAuthorization On
     <IfVersion >= 2.4>
@@ -25,4 +35,14 @@ Listen 35357
     </IfVersion>
     ErrorLog /var/log/apache2/keystone.log
     CustomLog /var/log/apache2/keystone_access.log combined
+
+    <Directory /usr/local/bin>
+        <IfVersion >= 2.4>
+            Require all granted
+        </IfVersion>
+        <IfVersion < 2.4>
+            Order allow,deny
+            Allow from all
+        </IfVersion>
+    </Directory>
 </VirtualHost>
diff --git a/keystone/server/wsgi.py b/keystone/server/wsgi.py
index 863f13bcee..dbdad32644 100644
--- a/keystone/server/wsgi.py
+++ b/keystone/server/wsgi.py
@@ -50,3 +50,11 @@ def initialize_application(name):
     _unused, application = common.setup_backends(
         startup_application_fn=loadapp)
     return application
+
+
+def initialize_admin_application():
+    return initialize_application('admin')
+
+
+def initialize_public_application():
+    return initialize_application('main')
diff --git a/setup.cfg b/setup.cfg
index 17d348ebfe..b2236ae6c8 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -66,6 +66,10 @@ console_scripts =
     keystone-all = keystone.cmd.all:main
     keystone-manage = keystone.cmd.manage:main
 
+wsgi_scripts =
+    keystone-wsgi-admin = keystone.server.wsgi:initialize_admin_application
+    keystone-wsgi-public = keystone.server.wsgi:initialize_public_application
+
 keystone.assignment =
     ldap = keystone.assignment.backends.ldap:Assignment
     sql = keystone.assignment.backends.sql:Assignment