diff --git a/tasks/keystone_credential_create.yml b/tasks/keystone_credential_create.yml
index f0fce59b..475f364b 100644
--- a/tasks/keystone_credential_create.yml
+++ b/tasks/keystone_credential_create.yml
@@ -80,22 +80,42 @@
   register: create_credential_keys
   when:
     - not _credential_keys.stat.exists
-    - not drop_existing_credential_keys  is changed
+    - not drop_existing_credential_keys is changed
 
-- name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
-  command: >
-    {{ keystone_bin }}/keystone-manage credential_migrate
-                                       --keystone-user "{{ keystone_system_user_name }}"
-                                       --keystone-group "{{ keystone_system_group_name }}"
-  become: yes
-  become_user: "{{ keystone_system_user_name }}"
+- name: Perform rotation and migration of credential keys
   when: create_credential_keys is skipped
+  block:
+    - name: Rotate credential keys for Keystone # noqa: no-changed-when
+      command: >
+        {{ keystone_bin }}/keystone-manage credential_rotate
+                                          --keystone-user "{{ keystone_system_user_name }}"
+                                          --keystone-group "{{ keystone_system_group_name }}"
+      become: yes
+      become_user: "{{ keystone_system_user_name }}"
+  # credential_rotate might fail in case any credential is not using current private key
+  # so in case it fails, we need to try perform the migraton and attempt rotation after that
+  rescue:
+    - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
+      command: >
+        {{ keystone_bin }}/keystone-manage credential_migrate
+                                          --keystone-user "{{ keystone_system_user_name }}"
+                                          --keystone-group "{{ keystone_system_group_name }}"
+      become: yes
+      become_user: "{{ keystone_system_user_name }}"
 
-- name: Rotate credential keys for Keystone # noqa: no-changed-when
-  command: >
-    {{ keystone_bin }}/keystone-manage credential_rotate
-                                       --keystone-user "{{ keystone_system_user_name }}"
-                                       --keystone-group "{{ keystone_system_group_name }}"
-  become: yes
-  become_user: "{{ keystone_system_user_name }}"
-  when: create_credential_keys is skipped
+    - name: Rotate credential keys for Keystone # noqa: no-changed-when
+      command: >
+        {{ keystone_bin }}/keystone-manage credential_rotate
+                                          --keystone-user "{{ keystone_system_user_name }}"
+                                          --keystone-group "{{ keystone_system_group_name }}"
+      become: yes
+      become_user: "{{ keystone_system_user_name }}"
+  always:
+    # Let's run migration at the end anyway, as we need it after successfull rotation.
+    - name: Ensure newest key is used for credential in Keystone # noqa: no-changed-when
+      command: >
+        {{ keystone_bin }}/keystone-manage credential_migrate
+                                          --keystone-user "{{ keystone_system_user_name }}"
+                                          --keystone-group "{{ keystone_system_group_name }}"
+      become: yes
+      become_user: "{{ keystone_system_user_name }}"