If you see an error opening the signing key file, it's possible the person who ran keystone-manage pki_setup to generate certificates and keys isn't using the correct user. When you run keystone-manage pki_setup, keystone generates a set of certificates and keys in /etc/keystone/ssl* which is owned by root:root.
This is problematic when trying to then run the Keystone daemon under the 'keystone' user account (nologin) when trying to run PKI. Unless you manually chown the files keystone:keystone or run keystone-manage pki_setup with --keystone-user and --keystone-group you'll get an error like this:
2012-07-31 11:10:53 ERROR [keystone.common.cms] Error opening signing key file /etc/keystone/ssl/private/signing_key.pem
140380567730016:error:0200100D:system library:fopen:Permission denied:bss_file.c:398:fopen('/etc/keystone/ssl/private/signing_key.pem','r')
140380567730016:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load signing key file