diff --git a/tasks/keystone_ssl_key_create.yml b/tasks/keystone_ssl_key_create.yml
index 9791f84f..dab2010a 100644
--- a/tasks/keystone_ssl_key_create.yml
+++ b/tasks/keystone_ssl_key_create.yml
@@ -34,3 +34,16 @@
   tags:
     - keystone-configs
     - keystone-ssl
+
+- name: Ensure keystone user owns the self-signed key and certificate
+  file:
+    path: "{{ item }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
+  with_items:
+    - "{{ keystone_ssl_key }}"
+    - "{{ keystone_ssl_cert }}"
+  notify: Restart Apache
+  tags:
+    - keystone-ssl
diff --git a/tasks/keystone_ssl_key_distribute.yml b/tasks/keystone_ssl_key_distribute.yml
index 55ccb444..b73a2dcf 100644
--- a/tasks/keystone_ssl_key_distribute.yml
+++ b/tasks/keystone_ssl_key_distribute.yml
@@ -13,23 +13,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Distribute self signed cert and key
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "retrieve"
-    file_mode: "{{ item.file_mode }}"
-    dir_mode: "{{ item.dir_mode }}"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" }
-    - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
-  notify: Restart Apache
+- name: Distribute self signed ssl key
+  copy:
+    dest: "{{ keystone_ssl_key }}"
+    content: "{{ hostvars[groups['keystone_all'][0]]['keystone_ssl_key_fact'] | b64decode }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
+  tags:
+    - keystone-ssl
+
+- name: Distribute self signed ssl cert
+  copy:
+    dest: "{{ keystone_ssl_cert }}"
+    content: "{{ hostvars[groups['keystone_all'][0]]['keystone_ssl_cert_fact'] | b64decode }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
+  tags:
+    - keystone-ssl
+
+- name: Ensure keystone user owns the self-signed key and certificate
+  file:
+    path: "{{ item }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+  with_items:
+    - "{{ keystone_ssl_key }}"
+    - "{{ keystone_ssl_cert }}"
   tags:
-    - keystone-config
     - keystone-ssl
diff --git a/tasks/keystone_ssl_key_store.yml b/tasks/keystone_ssl_key_store.yml
index 6971ac06..b4a4df13 100644
--- a/tasks/keystone_ssl_key_store.yml
+++ b/tasks/keystone_ssl_key_store.yml
@@ -13,19 +13,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Store self signed cert and key
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "present"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert" }
-    - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Store ssl cert
+  slurp:
+    src: "{{ keystone_ssl_cert }}"
+  register: _keystone_ssl_cert
+  changed_when: false
+  tags:
+    - keystone-ssl
+
+- name: Store ssl key
+  slurp:
+    src: "{{ keystone_ssl_key }}"
+  register: _keystone_ssl_key
+  changed_when: false
+  tags:
+    - keystone-ssl
+
+- name: Register a fact for the cert and key
+  set_fact:
+    keystone_ssl_cert_fact: "{{ _keystone_ssl_cert.content }}"
+    keystone_ssl_key_fact: "{{ _keystone_ssl_key.content }}"
   tags:
     - keystone-ssl
diff --git a/tests/test-keystone-functional.yml b/tests/test-keystone-functional.yml
index e4cf9d17..84738340 100644
--- a/tests/test-keystone-functional.yml
+++ b/tests/test-keystone-functional.yml
@@ -51,5 +51,22 @@
       with_items:
         - "admin"
         - "service"
+    - name: Get SSL cert location and permissions
+      stat:
+        path: "/etc/ssl/certs/keystone.pem"
+      register: keystone_ssl_cert_stats
+    - name: Check SSL cert location and permissions
+      fail:
+        msg: "Keystone SSL cert permissions don't match 0640"
+      when: keystone_ssl_cert_stats.stat.mode != "0640"
+    - name: Get SSL key location and permissions
+      stat:
+        path: "/etc/ssl/private/keystone.key"
+      register: keystone_ssl_key_stats
+    - name: Check SSL key location and permissions
+      fail:
+        msg: "Keystone SSL key permissions don't match 0640"
+      when: keystone_ssl_key_stats.stat.mode != "0640"
+
   vars_files:
     - test-vars.yml
diff --git a/tests/test-vars.yml b/tests/test-vars.yml
index e8e40e79..382145ea 100644
--- a/tests/test-vars.yml
+++ b/tests/test-vars.yml
@@ -28,6 +28,7 @@ keystone_rabbitmq_password: "secrete"
 keystone_rabbitmq_port: 5671
 keystone_rabbitmq_servers: 10.100.100.2
 keystone_rabbitmq_use_ssl: true
+keystone_ssl: true
 keystone_rabbitmq_userid: keystone
 keystone_rabbitmq_vhost: /keystone
 keystone_requirements_git_install_branch: master