diff --git a/scripts/util/keystore-setup b/scripts/util/keystore-setup
index 8ca6cc77baa..25bf28af008 100755
--- a/scripts/util/keystore-setup
+++ b/scripts/util/keystore-setup
@@ -23,6 +23,7 @@ KS_VALIDITY="$4"
 CSR_FILE="$5"
 
 ALIAS="cloud"
+LIBVIRTD_FILE="/etc/libvirt/libvirtd.conf"
 
 # Re-use existing password or use the one provided
 if [ -f "$PROPS_FILE" ]; then
@@ -46,6 +47,27 @@ keytool -genkey -storepass "$KS_PASS" -keypass "$KS_PASS" -alias "$ALIAS" -keyal
 rm -f "$CSR_FILE"
 addresses=$(ip address | grep inet | awk '{print $2}' | sed 's/\/.*//g' | grep -v '^169.254.' | grep -v '^127.0.0.1' | egrep -v '^::1|^fe80' | grep -v '^::1' | sed 's/^/ip:/g' | tr '\r\n' ',')
 keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" > /dev/null 2>&1
+
+if [ $? -ne 0 ];then
+    echo "Failed to generate CSR file, retrying after removing existing settings"
+
+    if [ -f "$LIBVIRTD_FILE" ]; then
+        echo "Reverting libvirtd to not listen on TLS"
+        sed -i "s,^listen_tls=1,listen_tls=0,g" $LIBVIRTD_FILE
+        systemctl restart libvirtd
+    fi
+
+    echo "Removing cloud.* files in /etc/cloudstack/agent"
+    rm -f /etc/cloudstack/agent/cloud.*
+
+    echo "Retrying to generate CSR file"
+    keytool -certreq -storepass "$KS_PASS" -alias "$ALIAS" -file $CSR_FILE -keystore "$KS_FILE" -ext san="$addresses" >/dev/null 2>&1
+    if [ $? -ne 0 ];then
+        echo "Failed to generate CSR file while retrying"
+        exit 1
+    fi
+fi
+
 cat "$CSR_FILE"
 
 # Fix file permissions
diff --git a/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java b/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
index 4f1fcb26a7c..f4706be185d 100644
--- a/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
+++ b/server/src/main/java/com/cloud/hypervisor/kvm/discoverer/LibvirtServerDiscoverer.java
@@ -260,10 +260,11 @@ public abstract class LibvirtServerDiscoverer extends DiscovererBase implements
 
             final String privateKey = _configDao.getValue("ssh.privatekey");
             if (!SSHCmdHelper.acquireAuthorizedConnectionWithPublicKey(sshConnection, username, privateKey)) {
-                s_logger.error("Failed to authenticate with ssh key");
                 if (org.apache.commons.lang3.StringUtils.isEmpty(password)) {
+                    s_logger.error("Failed to authenticate with ssh key");
                     throw new DiscoveredWithErrorException("Authentication error with ssh private key");
                 }
+                s_logger.info("Failed to authenticate with ssh key, retrying with password");
                 if (!sshConnection.authenticateWithPassword(username, password)) {
                     s_logger.error("Failed to authenticate with password");
                     throw new DiscoveredWithErrorException("Authentication error with host password");