diff --git a/tripleo_common/constants.py b/tripleo_common/constants.py
index 2f4d42996..dfcd22a6f 100644
--- a/tripleo_common/constants.py
+++ b/tripleo_common/constants.py
@@ -153,6 +153,10 @@ DO_NOT_ROTATE_LIST = (
     'KeystoneFernetKey0',
     'KeystoneFernetKey1',
     'KeystoneFernetKeys',
+    'CephClientKey',
+    'CephClusterFSID',
+    'CephManilaClientKey',
+    'CephRgwKey',
 )
 
 PLAN_NAME_PATTERN = '^[a-zA-Z0-9-]+$'
diff --git a/tripleo_common/utils/passwords.py b/tripleo_common/utils/passwords.py
index 52ab57363..dcdb8b730 100644
--- a/tripleo_common/utils/passwords.py
+++ b/tripleo_common/utils/passwords.py
@@ -51,13 +51,12 @@ def generate_passwords(stack_env=None,
         if (stack_env and name in stack_env.get('parameter_defaults', {}) and
                 not rotate_passwords):
             passwords[name] = stack_env['parameter_defaults'][name]
-        elif name.startswith("Ceph"):
-            if name == "CephClusterFSID":
-                # The FSID must be a UUID
-                passwords[name] = six.text_type(uuid.uuid4())
-            else:
-                # CephX keys aren't random strings
-                passwords[name] = create_cephx_key()
+        elif name in ('CephClientKey', 'CephManilaClientKey', 'CephRgwKey'):
+            # CephX keys aren't random strings
+            passwords[name] = create_cephx_key()
+        elif name == "CephClusterFSID":
+            # The FSID must be a UUID
+            passwords[name] = six.text_type(uuid.uuid4())
         # Since by default passlib.pwd.genword uses all digits and ascii upper
         # & lowercase letters, it provides ~5.95 entropy per character.
         # Make the length of the default authkey 4096 bytes, which should give