diff --git a/packstack/plugins/keystone_100.py b/packstack/plugins/keystone_100.py
index fdedb66de..39dfe3ea5 100644
--- a/packstack/plugins/keystone_100.py
+++ b/packstack/plugins/keystone_100.py
@@ -104,6 +104,19 @@ def initConfig(controller):
          "USE_DEFAULT": True,
          "NEED_CONFIRM": False,
          "CONDITION": False},
+
+        {"CMD_OPTION": "keystone-service-name",
+         "USAGE": "Name of service to use to run keystone (keystone or httpd)",
+         "PROMPT": "Enter the Keystone service name.",
+         "OPTION_LIST": ['keystone', 'httpd'],
+         "VALIDATORS": [validators.validate_options],
+         "DEFAULT_VALUE": "keystone",
+         "MASK_INPUT": False,
+         "LOOSE_VALIDATION": False,
+         "CONF_NAME": 'CONFIG_KEYSTONE_SERVICE_NAME',
+         "USE_DEFAULT": True,
+         "NEED_CONFIRM": False,
+         "CONDITION": False},
     ]
     group = {"GROUP_NAME": "KEYSTONE",
              "DESCRIPTION": "Keystone Config parameters",
diff --git a/packstack/puppet/modules/packstack/manifests/apache_common.pp b/packstack/puppet/modules/packstack/manifests/apache_common.pp
new file mode 100644
index 000000000..dd1007c01
--- /dev/null
+++ b/packstack/puppet/modules/packstack/manifests/apache_common.pp
@@ -0,0 +1,26 @@
+# Code common to all classes that use Apache
+#
+# This allows multiple modules to safely use ::apache without
+# overwriting existing config or the ports file.
+#
+# Any module that uses apache must include this class
+#   include packstack_apache_common
+class packstack::apache_common {
+  include ::apache::params
+  # make sure the include ::apache in the module
+  # does not overwrite the contents of the config dirs
+  # from a previous module
+  if $::apache::params::confd_dir {
+    File<| title == $::apache::params::confd_dir |> {
+      purge => false,
+    }
+  }
+  # make sure the ports.conf concat fragments from previous
+  # runs are not overwritten by subsequent runs
+  include ::concat::setup
+  $my_safe_name = regsubst($::apache::params::ports_file, '[/:]', '_', 'G')
+  $my_fragdir = "${concat::setup::concatdir}/${my_safe_name}"
+  File<| title == "${my_fragdir}/fragments" |> {
+    purge => false,
+  }
+}
diff --git a/packstack/puppet/templates/horizon.pp b/packstack/puppet/templates/horizon.pp
index 867874fcd..270039284 100644
--- a/packstack/puppet/templates/horizon.pp
+++ b/packstack/puppet/templates/horizon.pp
@@ -1,4 +1,4 @@
-include concat::setup
+include packstack::apache_common
 
 $horizon_packages = ["python-memcached", "python-netaddr"]
 
diff --git a/packstack/puppet/templates/keystone.pp b/packstack/puppet/templates/keystone.pp
index fcec1f576..9d25f4254 100644
--- a/packstack/puppet/templates/keystone.pp
+++ b/packstack/puppet/templates/keystone.pp
@@ -1,3 +1,4 @@
+$keystone_use_ssl = false
 
 class {"keystone":
     admin_token => "%(CONFIG_KEYSTONE_ADMIN_TOKEN)s",
@@ -6,6 +7,15 @@ class {"keystone":
     verbose => true,
     debug => %(CONFIG_DEBUG_MODE)s,
     mysql_module => '2.2',
+    service_name => '%(CONFIG_KEYSTONE_SERVICE_NAME)s',
+    enable_ssl => $keystone_use_ssl,
+}
+
+if '%(CONFIG_KEYSTONE_SERVICE_NAME)s' == 'httpd' {
+  include packstack::apache_common
+  class {"keystone::wsgi::apache":
+    ssl => $keystone_use_ssl,
+  }
 }
 
 class {"keystone::roles::admin":
diff --git a/packstack/puppet/templates/nagios_server.pp b/packstack/puppet/templates/nagios_server.pp
index 54f732073..68ab5af8e 100644
--- a/packstack/puppet/templates/nagios_server.pp
+++ b/packstack/puppet/templates/nagios_server.pp
@@ -1,3 +1,5 @@
+include packstack::apache_common
+
 package{['nagios', 'nagios-plugins-nrpe']:
     ensure => present,
     before => Class['nagios_configs']
@@ -63,11 +65,7 @@ class{'nagios_configs':
     notify => [Service['nagios'], Service['httpd']],
 }
 
-include concat::setup
-
-class {'apache':
-    purge_configs => false,
-}
+include ::apache
 class {'apache::mod::php': }
 
 service{['nagios']:
@@ -81,8 +79,3 @@ firewall { '001 nagios incoming':
     dport    => ['80'],
     action   => 'accept',
 }
-
-# ensure that we won't stop listening on 443 if horizon has ssl enabled
-if %(CONFIG_HORIZON_SSL)s {
-    apache::listen { '443': }
-}
diff --git a/packstack/puppet/templates/prescript.pp b/packstack/puppet/templates/prescript.pp
index d6d37dddd..730af9748 100644
--- a/packstack/puppet/templates/prescript.pp
+++ b/packstack/puppet/templates/prescript.pp
@@ -1,4 +1,9 @@
 include firewall
+# This does the initial apache setup for all components that
+# require apache/httpd.
+# Other packstack components that use apache should do
+#   include packstack_apache_common
+include ::apache
 
 $el_releases = ['RedHat', 'CentOS', 'Scientific']