prior to keystone, the user would get credentials via
nova-manage project zipfile
and in the zip file was a .pem file there was a pk.pem, and cert.pem file. These could then be used wherever there was a need for 'EC2_CERT' and 'EC2_PRIVATE_KEY' respectively.
In EC2, almost everything has moved to using the REST api, which does authentication via secret key and access key. The one set of tools that still needs the cert and private key path is the ec2-api-tools. The only functionality that i'm aware of that *depends* on those is bundle-image (ec2-bundle-image, euca-bundle-image).
In a openstack system set up to use keystone, there is no way to get certificate and private key, and thus no way to publish an image via the bundle-image/upload-bundle path.