diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index e07bda1304e3891526f48f1eb190fafe1f795abc..cb4aa206b3098808becbf07809b45b00d80ac77d 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -59,6 +59,7 @@ keystone_services:
       - "kolla_logs:/var/log/kolla/"
       - "keystone_fernet_tokens:/etc/keystone/fernet-keys"
     dimensions: "{{ keystone_fernet_dimensions }}"
+    healthcheck: "{{ keystone_fernet_healthcheck }}"
 
 ####################
 # Database
@@ -123,6 +124,19 @@ keystone_ssh_healthcheck:
   test: "{% if keystone_ssh_enable_healthchecks | bool %}{{ keystone_ssh_healthcheck_test }}{% else %}NONE{% endif %}"
   timeout: "{{ keystone_ssh_healthcheck_timeout }}"
 
+keystone_fernet_enable_healthchecks: "{{ enable_container_healthchecks }}"
+keystone_fernet_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
+keystone_fernet_healthcheck_retries: "{{ default_container_healthcheck_retries }}"
+keystone_fernet_healthcheck_start_period: "{{ default_container_healthcheck_start_period }}"
+keystone_fernet_healthcheck_test: ["CMD-SHELL", "/usr/bin/fernet-healthcheck.sh"]
+keystone_fernet_healthcheck_timeout: "{{ default_container_healthcheck_timeout }}"
+keystone_fernet_healthcheck:
+  interval: "{{ keystone_fernet_healthcheck_interval }}"
+  retries: "{{ keystone_fernet_healthcheck_retries }}"
+  start_period: "{{ keystone_fernet_healthcheck_start_period }}"
+  test: "{% if keystone_fernet_enable_healthchecks | bool %}{{ keystone_fernet_healthcheck_test }}{% else %}NONE{% endif %}"
+  timeout: "{{ keystone_fernet_healthcheck_timeout }}"
+
 keystone_default_volumes:
   - "{{ node_config_directory }}/keystone/:{{ container_config_directory }}/:ro"
   - "/etc/localtime:/etc/localtime:ro"
diff --git a/ansible/roles/keystone/tasks/config.yml b/ansible/roles/keystone/tasks/config.yml
index bec1350a343a62a459388ddb85758abce3acd12d..ffccd79023886a91b05e49a088eb89a601204f39 100644
--- a/ansible/roles/keystone/tasks/config.yml
+++ b/ansible/roles/keystone/tasks/config.yml
@@ -223,6 +223,7 @@
     - { src: "fernet-rotate.sh.j2", dest: "fernet-rotate.sh" }
     - { src: "fernet-node-sync.sh.j2", dest: "fernet-node-sync.sh" }
     - { src: "fernet-push.sh.j2", dest: "fernet-push.sh" }
+    - { src: "fernet-healthcheck.sh.j2", dest: "fernet-healthcheck.sh" }
     - { src: "id_rsa", dest: "id_rsa" }
     - { src: "ssh_config.j2", dest: "ssh_config" }
   when:
diff --git a/ansible/roles/keystone/templates/fernet-healthcheck.sh.j2 b/ansible/roles/keystone/templates/fernet-healthcheck.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..29c71bd322626ab41159d510d00a1ad730c419de
--- /dev/null
+++ b/ansible/roles/keystone/templates/fernet-healthcheck.sh.j2
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -o errexit
+set -o pipefail
+
+(/usr/bin/fernet-node-sync.sh --check && /usr/bin/fernet-push.sh --check) || exit 1
diff --git a/ansible/roles/keystone/templates/fernet-node-sync.sh.j2 b/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
index 4293a807d85dca5e63afc2659dc78eeacaf01726..27a1b497f97db8ff8b1886c8cb2d4d850da2f7f6 100644
--- a/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-node-sync.sh.j2
@@ -1,19 +1,29 @@
-#!/bin/bash
+!/bin/bash
 
 set -o errexit
 set -o pipefail
 
-# Ensure tokens are populated, check for 0 key which should always exist
-n=0
-while [ ! -f /etc/keystone/fernet-keys/0 ]; do
-    if [ $n -lt 10 ]; then
-        n=$(( n + 1 ))
-        echo "ERROR: Fernet tokens have not been populated, rechecking in 1 minute"
-        echo "DEBUG: /etc/keystone/fernet-keys contents:"
-        ls -l /etc/keystone/fernet-keys/
-        sleep 60
+if [ ! -z "$1" ] && [ "$1" == "--check" ]; then
+    if [ -f /etc/keystone/fernet-keys/0 ]; then
+        if [[ $(stat -c %U:%G /etc/keystone/fernet-keys/0) != "keystone:keystone" ]]; then
+            exit 1
+        fi
     else
-        echo "CRITICAL: Waited for 10 minutes - failing"
         exit 1
     fi
-done
+else
+    # Ensure tokens are populated, check for 0 key which should always exist
+    n=0
+    while [ ! -f /etc/keystone/fernet-keys/0 ]; do
+        if [ $n -lt 10 ]; then
+            n=$(( n + 1 ))
+            echo "ERROR: Fernet tokens have not been populated, rechecking in 1 minute"
+            echo "DEBUG: /etc/keystone/fernet-keys contents:"
+            ls -l /etc/keystone/fernet-keys/
+            sleep 60
+        else
+            echo "CRITICAL: Waited for 10 minutes - failing"
+            exit 1
+        fi
+    done
+fi
diff --git a/ansible/roles/keystone/templates/fernet-push.sh.j2 b/ansible/roles/keystone/templates/fernet-push.sh.j2
index 5aeda018fcdcc13562452efd7c647124dbbd3f99..2b0ee6fac23704121619f4a029a9cfbfcdc2afec 100644
--- a/ansible/roles/keystone/templates/fernet-push.sh.j2
+++ b/ansible/roles/keystone/templates/fernet-push.sh.j2
@@ -3,8 +3,24 @@
 set -o errexit
 set -o pipefail
 
+if [ ! -z "$1" ] && [ "$1" == "--check" ]; then
+{% if groups['keystone'] | length > 1 %}
+{% for host in groups['keystone'] %}
+{% if inventory_hostname != host %}
+/usr/bin/rsync --dry-run -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host]['keystone_ssh_port'] }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:/etc/keystone/fernet-keys
+{% endif %}
+{% endfor %}
+{% else %}
+echo "No additional keystone-server where fernet keys could be rsynced."
+{% endif %}
+else
+{% if groups['keystone'] | length > 1 %}
 {% for host in groups['keystone'] %}
 {% if inventory_hostname != host %}
 /usr/bin/rsync -az -e 'ssh -i /var/lib/keystone/.ssh/id_rsa -p {{ hostvars[host]['keystone_ssh_port'] }} -F /var/lib/keystone/.ssh/config' --delete /etc/keystone/fernet-keys/ keystone@{{ 'api' | kolla_address(host) | put_address_in_context('url') }}:/etc/keystone/fernet-keys
 {% endif %}
 {% endfor %}
+{% else %}
+echo "No additional keystone-server where fernet keys could be rsynced."
+{% endif %}
+fi
diff --git a/ansible/roles/keystone/templates/keystone-fernet.json.j2 b/ansible/roles/keystone/templates/keystone-fernet.json.j2
index 2486a59e84e08fe25f529ff40ab453fa0ffa7e26..208e0dd9227015a2e89bfa2cd841ca186f75026d 100644
--- a/ansible/roles/keystone/templates/keystone-fernet.json.j2
+++ b/ansible/roles/keystone/templates/keystone-fernet.json.j2
@@ -49,6 +49,12 @@
             "dest": "/etc/keystone/{{ keystone_policy_file }}",
             "owner": "keystone",
             "perm": "0600"
+        }{% endif %}{% if keystone_fernet_enable_healthchecks | bool %},
+        {
+            "source": "{{ container_config_directory }}/fernet-healthcheck.sh",
+            "dest": "/usr/bin/fernet-healthcheck.sh",
+            "owner": "root",
+            "perm": "0755"
         }{% endif %}
     ],
     "permissions": [
diff --git a/releasenotes/notes/implement-docker-healthchecks-for-keystone-fernet-a63033e2b95ecb2f.yaml b/releasenotes/notes/implement-docker-healthchecks-for-keystone-fernet-a63033e2b95ecb2f.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..26b0b26337e201d9f5bef2667572438ae6d6f421
--- /dev/null
+++ b/releasenotes/notes/implement-docker-healthchecks-for-keystone-fernet-a63033e2b95ecb2f.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    Implements container healthchecks for keystone-fernet container.
+    See `blueprint
+    <https://blueprints.launchpad.net/kolla-ansible/+spec/container-health-check>`__