diff --git a/keystone/values.yaml b/keystone/values.yaml
index 730a9036c8..abe207572d 100644
--- a/keystone/values.yaml
+++ b/keystone/values.yaml
@@ -419,9 +419,10 @@ jobs:
     user: keystone
     group: keystone
   fernet_rotate:
-    # NOTE(rk760n): key rotation frequency, token expiration, active keys should statisfy the formula
-    # max_active_keys = (token_expiration / rotation_frequency) + 2
-    # as expiration is 12h, and max_active_keys set to 3 by default, rotation_frequency need to be adjusted
+    # NOTE(rk760n): key rotation frequency, token expiration, active keys, and allow_expired_window should statisfy the formula
+    # max_active_keys = ((token_expiration + allow_expired_window) / rotation_frequency) + 2
+    # As expiration is 12h, max_active_keys is 7 and allow_expired_window is 48h by default,
+    # rotation_frequency need to be adjusted
     # 12 hours
     cron: "0 */12 * * *"
     user: keystone
@@ -540,6 +541,7 @@ conf:
       domain_config_dir: /etc/keystone/domains
     fernet_tokens:
       key_repository: /etc/keystone/fernet-keys/
+      max_active_keys: 7
     credential:
       key_repository: /etc/keystone/credential-keys/
     database:
diff --git a/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml b/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml
new file mode 100644
index 0000000000..bb40e46229
--- /dev/null
+++ b/releasenotes/notes/keystone-9bca09a40cc3dc68.yaml
@@ -0,0 +1,3 @@
+---
+fixes:
+  - Fix the number of max active fernet keys