Openstack Keystone PKI uses two certificates as this document mentions: https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/
CA certificate and the signing certificate.
My understanding so far: Signing key is used to sign the user token while the signing certificate contains the corresponding public key and will be shared with the service endpoint to be used while decrypting the user token.
Is this correct? If so, what is the purpose of the CA certificate and the CA key?
I'd suggest the OpenStack documentation at http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html
PKI stands for Public Key Infrastructure. Tokens are documents, cryptographically signed using the X509 standard. In order to work correctly token generation requires a public/private key pair. The public key must be signed in an X509 certificate, and the certificate used to sign it must be available as a Certificate Authority (CA) certificate.
Tokens are both signed and verified. There's no decryption.
The certificate and certificate authority used can be internal or external and how the cloud provider choses to configure it is up to them.