Document URL: https://access.redhat.com/site/documentation//en-US/Red_Hat_OpenStack/3/html/Installation_and_Configuration_Guide/Creating_the_Public_Key_Infrastructure_Files.html Section Number and Name: 5.4.3.2. Creating the Public Key Infrastructure Files Describe the issue: keystone-manage pki_setup is run as root. This results in the /var/log/keystone/keystone.log being created and owned by root. As a result when the openstack-keystone service is started it comes up as OK but silently fails in he background: [root@localhost ~]# service openstack-keystone start Starting keystone: [ OK ] [root@localhost ~]# service openstack-keystone status keystone dead but pid file exists [root@localhost ~]# tail /var/log/keystone/keystone.log [root@localhost ~]# This isn't immediately apparent to the user until the attempt to create the service: # keystone service-create --name=keystone --type=identity \ > --description="Keystone Identity Service" [Errno 111] Connection refused Suggestions for improvement: Run keystone-manager pki_setup as the keystone user: su keystone -s /bin/sh -c "keystone-manage pki_setup --keystone-user=keystone --keystone-group=keystone" Workaround: Remove /var/log/keystone/keystone.log or change ownership to keystone user.