diff --git a/doc/source/man/keystone-manage.rst b/doc/source/man/keystone-manage.rst
index a2d97b7883..a69cf374fd 100644
--- a/doc/source/man/keystone-manage.rst
+++ b/doc/source/man/keystone-manage.rst
@@ -48,7 +48,7 @@ Available commands:
 * ``fernet_setup``: Setup a Fernet key repository.
 * ``mapping_purge``: Purge the identity mapping table.
 * ``mapping_engine``: Test your federation mapping rules.
-* ``pki_setup``: Initialize the certificates used to sign tokens.
+* ``pki_setup``: Initialize the certificates used to sign tokens. **deprecated**
 * ``saml_idp_metadata``: Generate identity provider metadata.
 * ``ssl_setup``: Generate certificates for SSL.
 * ``token_flush``: Purge expired tokens.
diff --git a/keystone/cmd/cli.py b/keystone/cmd/cli.py
index 59cb0508a0..49979877ee 100644
--- a/keystone/cmd/cli.py
+++ b/keystone/cmd/cli.py
@@ -20,6 +20,7 @@ import uuid
 
 from oslo_config import cfg
 from oslo_log import log
+from oslo_log import versionutils
 from oslo_serialization import jsonutils
 import pbr.version
 
@@ -313,13 +314,19 @@ class PKISetup(BaseCertificateSetup):
     """Set up Key pairs and certificates for token signing and verification.
 
     This is NOT intended for production use, see Keystone Configuration
-    documentation for details.
+    documentation for details. As of the Mitaka release, this command has
+    been DEPRECATED and may be removed in the 'O' release.
     """
 
     name = 'pki_setup'
 
     @classmethod
     def main(cls):
+        versionutils.report_deprecated_feature(
+            LOG,
+            _LW("keystone-manage pki_setup is deprecated as of Mitaka in "
+                "favor of not using PKI tokens and may be removed in 'O' "
+                "release."))
         LOG.warning(_LW('keystone-manage pki_setup is not recommended for '
                         'production use.'))
         keystone_user_id, keystone_group_id = cls.get_user_group()
diff --git a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
index 11b0e21150..28e99871d2 100644
--- a/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
+++ b/releasenotes/notes/deprecated-as-of-mitaka-8534e43fa40c1d09.yaml
@@ -5,7 +5,8 @@ deprecations:
     As of the Mitaka release, the PKI and PKIz token formats have been
     deprecated. They will be removed in the 'O' release. Due to this change,
     the ``hash_algorithm`` option in the ``[token]`` section of the
-    configuration file has also been deprecated.
+    configuration file has also been deprecated. Also due to this change, the
+    ``keystone-manage pki_setup`` command has been deprecated as well.
   - >
     [`blueprint deprecated-as-of-mitaka <https://blueprints.launchpad.net/keystone/+spec/deprecated-as-of-mitaka>`_]
     As of the Mitaka release, write support for the LDAP driver of the Identity