diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst
index 8220bafdf0..7e28a76608 100644
--- a/doc/source/configuration/settings.rst
+++ b/doc/source/configuration/settings.rst
@@ -1346,18 +1346,6 @@ The full URL for the Keystone endpoint used for authentication. Unless you
 are using HTTPS, running your Keystone server on a nonstandard port, or using
 a nonstandard URL scheme you shouldn't need to touch this setting.
 
-OPENSTACK_TOKEN_HASH_ALGORITHM
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-.. versionadded:: 2014.2(Juno)
-
-Default: ``"md5"``
-
-The hash algorithm to use for authentication tokens. This must match the hash
-algorithm that the identity (Keystone) server and the auth_token middleware
-are using. Allowed values are the algorithms supported by Python's hashlib
-library.
-
 PASSWORD_EXPIRES_WARNING_THRESHOLD_DAYS
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/openstack_auth/tests/data_v3.py b/openstack_auth/tests/data_v3.py
index 366b9d8f6d..81429efbf8 100644
--- a/openstack_auth/tests/data_v3.py
+++ b/openstack_auth/tests/data_v3.py
@@ -17,7 +17,6 @@ import uuid
 from django.utils import datetime_safe
 from keystoneauth1.access import access
 from keystoneauth1.access import service_catalog
-from keystoneclient.common import cms
 from keystoneclient.v3 import domains
 from keystoneclient.v3 import projects
 from keystoneclient.v3 import roles
@@ -55,8 +54,7 @@ class TestResponse(requests.Response):
         return self._text
 
 
-def generate_test_data(pki=False, service_providers=False,
-                       endpoint='localhost'):
+def generate_test_data(service_providers=False, endpoint='localhost'):
     '''Builds a set of test_data data as returned by Keystone V2.'''
     test_data = TestDataContainer()
 
@@ -179,12 +177,7 @@ def generate_test_data(pki=False, service_providers=False,
     # Tokens
     tomorrow = datetime_safe.datetime.now() + datetime.timedelta(days=1)
     expiration = datetime_safe.datetime.isoformat(tomorrow)
-    if pki:
-        # We don't need a real PKI token, but just the prefix to make the
-        # keystone client treat it as a PKI token
-        auth_token = cms.PKI_ASN1_PREFIX + uuid.uuid4().hex
-    else:
-        auth_token = uuid.uuid4().hex
+    auth_token = uuid.uuid4().hex
 
     auth_response_headers = {
         'X-Subject-Token': auth_token
diff --git a/openstack_auth/tests/unit/test_user.py b/openstack_auth/tests/unit/test_user.py
index d088fe5893..9ad14ea5ac 100644
--- a/openstack_auth/tests/unit/test_user.py
+++ b/openstack_auth/tests/unit/test_user.py
@@ -14,7 +14,6 @@
 from django import test
 import mock
 
-from openstack_auth.tests import data_v3
 from openstack_auth import user
 
 
@@ -37,17 +36,3 @@ class PermTestCase(test.TestCase):
             # perm1 AND (perm2 OR perm3)
             perm_list = ['perm1', ('perm2', 'perm3')]
             self.assertTrue(testuser.has_perms(perm_list))
-
-
-class UserTestCase(test.TestCase):
-
-    def setUp(self):
-        super(UserTestCase, self).setUp()
-        self.data = data_v3.generate_test_data(pki=True)
-
-    def test_unscoped_token_is_none(self):
-        created_token = user.Token(self.data.domain_scoped_access_info,
-                                   unscoped_token=None)
-        self.assertTrue(created_token._is_pki_token(
-                        self.data.domain_scoped_access_info.auth_token))
-        self.assertFalse(created_token._is_pki_token(None))
diff --git a/openstack_auth/user.py b/openstack_auth/user.py
index e5e3283709..4a5928a0a7 100644
--- a/openstack_auth/user.py
+++ b/openstack_auth/user.py
@@ -12,14 +12,11 @@
 # limitations under the License.
 
 import datetime
-import hashlib
 import logging
 
-from django.conf import settings
 from django.contrib.auth import models
 from django.db import models as db_models
 from keystoneauth1 import exceptions as keystone_exceptions
-from keystoneclient.common import cms as keystone_cms
 import six
 
 from openstack_auth import utils
@@ -97,17 +94,6 @@ class Token(object):
         # Token-related attributes
         self.id = auth_ref.auth_token
         self.unscoped_token = unscoped_token
-        if self._is_pki_token(self.id):
-            algorithm = getattr(settings, 'OPENSTACK_TOKEN_HASH_ALGORITHM',
-                                'md5')
-            hasher = hashlib.new(algorithm)
-            hasher.update(self.id.encode('utf-8'))
-            self.id = hasher.hexdigest()
-            # Only hash unscoped token if needed
-            if self._is_pki_token(self.unscoped_token):
-                hasher = hashlib.new(algorithm)
-                hasher.update(self.unscoped_token.encode('utf-8'))
-                self.unscoped_token = hasher.hexdigest()
         self.expires = auth_ref.expires
 
         # Project-related attributes
@@ -131,13 +117,6 @@ class Token(object):
         self.roles = [{'name': role} for role in auth_ref.role_names]
         self.serviceCatalog = auth_ref.service_catalog.catalog
 
-    def _is_pki_token(self, token):
-        """Determines if this is a pki-based token (pki or pkiz)"""
-        if token is None:
-            return False
-        return (keystone_cms.is_ans1_token(token) or
-                keystone_cms.is_pkiz(token))
-
 
 class User(models.AbstractBaseUser, models.AnonymousUser):
     """A User class with some extra special sauce for Keystone.
diff --git a/openstack_dashboard/local/local_settings.py.example b/openstack_dashboard/local/local_settings.py.example
index ba36ff1b95..6f366096c6 100644
--- a/openstack_dashboard/local/local_settings.py.example
+++ b/openstack_dashboard/local/local_settings.py.example
@@ -795,12 +795,6 @@ SECURITY_GROUP_RULES = {
 # See Metadata Definitions on:
 # https://docs.openstack.org/glance/latest/user/glancemetadefcatalogapi.html
 
-# The hash algorithm to use for authentication tokens. This must
-# match the hash algorithm that the identity server and the
-# auth_token middleware are using. Allowed values are the
-# algorithms supported by Python's hashlib library.
-#OPENSTACK_TOKEN_HASH_ALGORITHM = 'md5'
-
 # AngularJS requires some settings to be made available to
 # the client side. Some settings are required by in-tree / built-in horizon
 # features. These settings must be added to REST_API_REQUIRED_SETTINGS in the
diff --git a/releasenotes/notes/drop-pki-token-d8bc4d665887aedf.yaml b/releasenotes/notes/drop-pki-token-d8bc4d665887aedf.yaml
new file mode 100644
index 0000000000..2c5ff109a9
--- /dev/null
+++ b/releasenotes/notes/drop-pki-token-d8bc4d665887aedf.yaml
@@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    PKI token support has been dropped from horizon. PKI token was removed
+    from keystone in Ocata release which was released two years ago.
+    It is a good timing to drop its support.
+
+    ``OPENSTACK_TOKEN_HASH_ALGORITHM`` setting was removed because it was
+    used only for PKI token check. Unless you use PKI token before upgrading,
+    there is no affect and you can safely drop it from your local_settings.py.