diff --git a/keystone/common/config.py b/keystone/common/config.py
index 9ca3493090..3663d58bfb 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -295,6 +295,10 @@ FILE_OPTIONS = {
                     'allow_rescoped_scoped_token to false prevents a user '
                     'from exchanging a scoped token for any other token.'),
         cfg.StrOpt('hash_algorithm', default='md5',
+                   deprecated_for_removal=True,
+                   deprecated_reason='PKI token support has been deprecated '
+                                     'in the M release and will be removed '
+                                     'in the O release.',
                    help='The hash algorithm to use for PKI tokens. This can '
                         'be set to any algorithm that hashlib supports. '
                         'WARNING: Before changing this value, the auth_token '
diff --git a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
index fe9d9fe77b..9de697a826 100644
--- a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
+++ b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
@@ -3,4 +3,6 @@ deprecations:
   - >
     [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
     As of the Mitaka release, the PKI and PKIz token formats have been
-    deprecated. They will be removed in the 'O' release.
+    deprecated. They will be removed in the 'O' release. Due to this change,
+    the ``hash_algorithm`` option in the ``[token]`` section of the
+    configuration file has also been deprecated.