I had some api authentication issues with old Grizzly (EOL as of now, https://wiki.openstack.org/wiki/Releases) installation, fortunately found some insights from http://www.blackmesh.com/blog/openstack-refusing-authentication-psh
Some useful commands
# openssl x509 -in /etc/keystone/ssl/certs/signing_cert.pem -enddate -noout
notAfter=Aug 21 03:38:40 2014 GMT
Following were my steps
# Backup /etc/keystone/ssl/certs
mv /etc/keystone/ssl/certs /etc/keystone/ssl/certs-backup
# Create folder, copy openssl.cnf
mkdir /etc/keystone/ssl/certs
cp /etc/keystone/ssl/certs-backup/openssl.cnf /etc/keystone/ssl/certs/.
#change default_days to 3650
vim /etc/keystone/ssl/certs/openssl.cnf
# run pki_setup
keystone-manage pki_setup
# set permissions
chown -R keystone:keystone /etc/keystone/ssl/certs/
# I found my key signing locations were bit different
# for nova-api it was /tmp/keystone-signing-nova
# backup and copy
cp /tmp/keystone-signing-nova/cacert.pem /tmp/keystone-signing-nova/cacert.pem-old
cp /tmp/keystone-signing-nova/signing_cert.pem /tmp/keystone-signing-nova/signing_cert.pem-old
# NOTE: ca.pem to cacert.pem
cp /etc/keystone/ssl/certs/ca.pem /tmp/keystone-signing-nova/cacert.pem
cp /etc/keystone/ssl/certs/signing_cert.pem /tmp/keystone-signing-nova/signing_cert.pem
# give permissoin
chown -R nova:nova /tmp/keystone-signing-nova
# for cinder it was /var/lib/cinder/
cp /var/lib/cinder/cacert.pem /var/lib/cinder/cacert.pem-old
cp /var/lib/cinder/signing_cert.pem /var/lib/cinder/signing_cert.pem-old
cp /etc/keystone/ssl/certs/ca.pem /var/lib/cinder/cacert.pem
cp /etc/keystone/ssl/certs/signing_cert.pem /var/lib/cinder/signing_cert.pem
chown cinder:cinder /var/lib/cinder/cacert.pem
chown cinder:cinder /var/lib/cinder/signing_cert.pem
#Restart the services
service openstack-keystone restart
service openstack-nova-api restart
service openstack-cinder-api restart
service openstack-glance-registry restart
service openstack-glance-api restart