diff --git a/tripleo_ansible/roles/octavia_controller_check/tasks/main.yml b/tripleo_ansible/roles/octavia_controller_check/tasks/main.yml
index c86e29421..b4b541293 100644
--- a/tripleo_ansible/roles/octavia_controller_check/tasks/main.yml
+++ b/tripleo_ansible/roles/octavia_controller_check/tasks/main.yml
@@ -30,6 +30,19 @@
     - name: Store CA data
       set_fact:
         ca_cert: "{{ ca_file_data.content | b64decode }}"
+
+    - name: Get remaining validity period of the CA
+      shell: |
+        now=$(date +%s)
+        enddate=$(date +%s -d "$(openssl x509 -enddate -noout -in {{ octavia_confd_prefix }}/{{ ca_cert_path }} | cut -d= -f2)")
+        echo $((enddate - now))
+      register: validity_period
+
+    - name: Force CA update if remaining validity is less than 1 year
+      set_fact:
+        force_certs_update: true
+      when:
+        - (validity_period.stdout| int) < 31622400  # 31622400 seconds == 366 days
   when:
     - ca_file_stat.stat.exists | bool
 
@@ -46,9 +59,20 @@
       slurp:
         src: "{{ octavia_confd_prefix }}/{{ ca_private_key_path }}"
       register: key_file_data
-    - name: Store CA data
+    - name: Store CA private key
       set_fact:
         ca_private_key: "{{ key_file_data.content | b64decode }}"
+
+    - name: Detect if key is encrypted with AES256
+      shell: grep -q 'AES-256-CBC' {{ octavia_confd_prefix }}/{{ ca_private_key_path }}
+      failed_when: false
+      register: ca_private_key_aes_256
+    - name: Store flag if a private key update is required
+      set_fact:
+        force_private_key_update: true
+        force_certs_update: true
+      when:
+        - ca_private_key_aes_256.rc != 0
   when:
     - ca_key_file_stat.stat.exists | bool
 
diff --git a/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml b/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
index b410f47ac..d41b028b7 100644
--- a/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
+++ b/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
@@ -35,7 +35,39 @@
 - name: Generating certificate authority private key
   become: true
   shell: |
-    openssl genrsa -passout pass:{{ ca_passphrase }} -des3 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+    openssl genrsa -passout pass:{{ ca_passphrase }} -aes256 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+  when:
+    - not (force_certs_update | default(false) | bool)
+
+- name: Reuse previous CA private key
+  block:
+    - name: Write previous CA private key
+      copy:
+        content: "{{ private_key_content }}"
+        dest: "{{ openssl_temp_dir }}/private/cakey.pem"
+      no_log: true
+  when:
+    - force_certs_update | default(false) | bool
+    - not (force_private_key_update | default(false) | bool)
+
+- name: Reuse and update previous CA private key
+  block:
+    - name: Write previous CA private key
+      copy:
+        content: "{{ private_key_content }}"
+        dest: "{{ openssl_temp_dir }}/private/cakey.old.pem"
+      no_log: true
+
+    - name: Update CA private key
+      shell: |
+        openssl rsa -aes256 \
+            -passin pass:{{ ca_passphrase }} \
+            -passout pass:{{ ca_passphrase }} \
+            -in {{ openssl_temp_dir }}/private/cakey.old.pem \
+            -out {{ openssl_temp_dir }}/private/cakey.pem
+  when:
+    - force_certs_update | default(false) | bool
+    - force_private_key_update | default(false) | bool
 
 - name: Reading private key
   become: true
@@ -51,7 +83,7 @@
   shell: |
     openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
                 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
-                -days 365 -config {{ openssl_temp_dir }}/openssl.cnf \
+                -days 18250 -config {{ openssl_temp_dir }}/openssl.cnf \
                 -out {{ openssl_temp_dir }}/ca_01.pem
 
 - name: Reading CA certificate
@@ -74,7 +106,7 @@
   become: true
   shell: |
     openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
-                -days 365 -out {{ openssl_temp_dir }}/client-.pem -batch
+                -days 3650 -out {{ openssl_temp_dir }}/client-.pem -batch
 
 - name: Read service private key and public certifcate
   become: true
diff --git a/tripleo_ansible/roles/octavia_overcloud_config/tasks/check_existing_certs.yml b/tripleo_ansible/roles/octavia_overcloud_config/tasks/check_existing_certs.yml
index 93d3bfefc..8ee192c82 100644
--- a/tripleo_ansible/roles/octavia_overcloud_config/tasks/check_existing_certs.yml
+++ b/tripleo_ansible/roles/octavia_overcloud_config/tasks/check_existing_certs.yml
@@ -65,5 +65,6 @@
         update_certs: false
       when:
         - (octavia_node_count | int) == (ca_certs | length)
+        - not (force_certs_update | default(false))
   when:
     - (ca_certs | length) > 0
diff --git a/tripleo_ansible/roles/octavia_overcloud_config/tasks/main.yml b/tripleo_ansible/roles/octavia_overcloud_config/tasks/main.yml
index c08fd1bc1..371633d36 100644
--- a/tripleo_ansible/roles/octavia_overcloud_config/tasks/main.yml
+++ b/tripleo_ansible/roles/octavia_overcloud_config/tasks/main.yml
@@ -13,4 +13,4 @@
 - include_tasks: certs_gen.yml
   when:
     - generate_certs | bool
-    - (generate_ca | default(true)) | bool
+    - (generate_ca | default(true)) | bool or (force_certs_update | default(false) | bool)