diff --git a/etc/keystone.conf.sample b/etc/keystone.conf.sample
index f4807357ec..b20139d02d 100644
--- a/etc/keystone.conf.sample
+++ b/etc/keystone.conf.sample
@@ -1176,7 +1176,10 @@
 # (string value)
 #token_format=<None>
 
-# Path of the certfile for token signing. (string value)
+# Path of the certfile for token signing. For non-production
+# environments, you may be interested in using `keystone-
+# manage pki_setup` to generate self-signed certificates.
+# (string value)
 #certfile=/etc/keystone/ssl/certs/signing_cert.pem
 
 # Path of the keyfile for token signing. (string value)
@@ -1211,7 +1214,10 @@
 # (boolean value)
 #enable=false
 
-# Path of the certfile for SSL. (string value)
+# Path of the certfile for SSL. For non-production
+# environments, you may be interested in using `keystone-
+# manage ssl_setup` to generate self-signed certificates.
+# (string value)
 #certfile=/etc/keystone/ssl/certs/keystone.pem
 
 # Path of the keyfile for SSL. (string value)
diff --git a/keystone/common/config.py b/keystone/common/config.py
index e936973f70..02179c28a3 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -288,7 +288,10 @@ FILE_OPTIONS = {
                          'eventlet servers.'),
         cfg.StrOpt('certfile',
                    default="/etc/keystone/ssl/certs/keystone.pem",
-                   help='Path of the certfile for SSL.'),
+                   help='Path of the certfile for SSL. For non-production '
+                        'environments, you may be interested in using '
+                        '`keystone-manage ssl_setup` to generate self-signed '
+                        'certificates.'),
         cfg.StrOpt('keyfile',
                    default='/etc/keystone/ssl/private/keystonekey.pem',
                    help='Path of the keyfile for SSL.'),
@@ -317,7 +320,10 @@ FILE_OPTIONS = {
                         '[token] section.'),
         cfg.StrOpt('certfile',
                    default='/etc/keystone/ssl/certs/signing_cert.pem',
-                   help='Path of the certfile for token signing.'),
+                   help='Path of the certfile for token signing. For '
+                        'non-production environments, you may be interested '
+                        'in using `keystone-manage pki_setup` to generate '
+                        'self-signed certificates.'),
         cfg.StrOpt('keyfile',
                    default='/etc/keystone/ssl/private/signing_key.pem',
                    help='Path of the keyfile for token signing.'),