diff --git a/docs/source/configuration/pki-catalog.rst b/docs/source/configuration/pki-catalog.rst
index 2c10dc72..2d3dc3b3 100644
--- a/docs/source/configuration/pki-catalog.rst
+++ b/docs/source/configuration/pki-catalog.rst
@@ -1,7 +1,7 @@
 PKI Catalog
 ===========
 
-Configuration for certificate generation in the cluster.
+Configuration for certificate and keypair generation in the cluster.
 
 
 Sample Document
diff --git a/promenade/control/validatedesign.py b/promenade/control/validatedesign.py
index 128737fd..fd9639a5 100644
--- a/promenade/control/validatedesign.py
+++ b/promenade/control/validatedesign.py
@@ -19,6 +19,7 @@ import falcon
 from promenade.config import Configuration
 from promenade.control import base
 from promenade import exceptions
+from promenade import policy
 from promenade import validation
 
 LOG = logging.getLogger(__name__)
@@ -46,10 +47,12 @@ class ValidateDesignResource(base.BaseResource):
             "code": status_code,
         })
 
+    @policy.ApiEnforcer('kubernetes_provisioner:post_validatedesign')
     def on_post(self, req, resp):
         href = req.get_param('href', required=True)
         try:
-            config = Configuration.from_design_ref(href)
+            config = Configuration.from_design_ref(
+                href, allow_missing_substitutions=False)
             validation.check_design(config)
             msg = "Promenade validations succeeded"
             return self._return_msg(resp, falcon.HTTP_200, message=msg)
diff --git a/promenade/exceptions.py b/promenade/exceptions.py
index 37a17bb4..eac443e1 100644
--- a/promenade/exceptions.py
+++ b/promenade/exceptions.py
@@ -196,7 +196,7 @@ class PromenadeException(Exception):
     @staticmethod
     def _gen_ex_message(title, description):
         ttl = title or 'Exception'
-        dsc = description or 'No additional decsription'
+        dsc = description or 'No additional description'
         return '{} : {}'.format(ttl, dsc)
 
     @staticmethod
diff --git a/promenade/options.py b/promenade/options.py
index 9d528423..2d86f871 100644
--- a/promenade/options.py
+++ b/promenade/options.py
@@ -4,30 +4,10 @@ import keystoneauth1.loading
 OPTIONS = []
 
 
-def setup(disable=None):
-    if disable is None:
-        disable = []
-    else:
-        disable = disable.split()
-
-    for name, func in GROUPS.items():
-        if name not in disable:
-            func()
-
+def setup(disable_keystone=False):
     cfg.CONF([], project='promenade')
-
-
-def register_application():
     cfg.CONF.register_opts(OPTIONS)
-
-
-def register_keystone_auth():
-    cfg.CONF.register_opts(
-        keystoneauth1.loading.get_auth_plugin_conf_options('password'),
-        group='keystone_authtoken')
-
-
-GROUPS = {
-    'promenade': register_application,
-    'keystone': register_keystone_auth,
-}
+    if disable_keystone is False:
+        cfg.CONF.register_opts(
+            keystoneauth1.loading.get_auth_plugin_conf_options('password'),
+            group='keystone_authtoken')
diff --git a/promenade/policy.py b/promenade/policy.py
index 374a8fe7..cbf47ec5 100644
--- a/promenade/policy.py
+++ b/promenade/policy.py
@@ -35,6 +35,12 @@ POLICIES = [
                                  'path': '/api/v1.0/join-scripts',
                                  'method': 'GET'
                              }]),
+    op.DocumentedRuleDefault('kubernetes_provisioner:post_validatedesign',
+                             'role:admin', 'Validate documents',
+                             [{
+                                 'path': '/api/v1.0/validatedesign',
+                                 'method': 'POST'
+                             }]),
 ]
 
 
diff --git a/promenade/promenade.py b/promenade/promenade.py
index 1fbebd17..3a26f869 100644
--- a/promenade/promenade.py
+++ b/promenade/promenade.py
@@ -17,8 +17,8 @@ from promenade import logging
 from promenade import policy
 
 
-def start_promenade(disable=""):
-    options.setup(disable=disable)
+def start_promenade(disable=False):
+    options.setup(disable_keystone=disable)
 
     # Setup root logger
     logging.setup(verbose=True)
diff --git a/tools/g2/stages/join-nodes.sh b/tools/g2/stages/join-nodes.sh
index 928426ad..ee159485 100755
--- a/tools/g2/stages/join-nodes.sh
+++ b/tools/g2/stages/join-nodes.sh
@@ -73,6 +73,17 @@ render_curl_url() {
     echo "${BASE_URL}?${DESIGN_REF}&${HOST_PARAMS}${LABEL_PARAMS}"
 }
 
+render_validate_url() {
+    BASE_URL="${BASE_PROM_URL}/api/v1.0/validatedesign"
+    if [[ ${USE_DECKHAND} == 1 ]]; then
+        HREF="href=deckhand%2Bhttp://deckhand-int.ucp.svc.cluster.local:9000/api/v1.0/revisions/${DECKHAND_REVISION}/rendered-documents"
+    else
+        HREF="href=${NGINX_URL}/promenade.yaml"
+    fi
+
+    echo "${BASE_URL}?${HREF}"
+}
+
 mkdir -p "${SCRIPT_DIR}"
 
 for NAME in "${NODES[@]}"; do
@@ -102,6 +113,9 @@ for NAME in "${NODES[@]}"; do
         sleep 10
     done
 
+    log "Validating documents"
+    ssh_cmd "${VIA}" curl -v "${CURL_ARGS[@]}" -X POST "$(render_validate_url)"
+
     JOIN_CURL_URL="$(render_curl_url "${NAME}" "${LABELS[@]}")"
     log "Fetching join script via: ${JOIN_CURL_URL}"
     ssh_cmd "${VIA}" curl "${CURL_ARGS[@]}" \