diff --git a/ansible/roles/keystone/tasks/config-federation-oidc.yml b/ansible/roles/keystone/tasks/config-federation-oidc.yml
index 4171283273..81384931d0 100644
--- a/ansible/roles/keystone/tasks/config-federation-oidc.yml
+++ b/ansible/roles/keystone/tasks/config-federation-oidc.yml
@@ -52,6 +52,7 @@
   with_items: "{{ keystone_identity_providers }}"
   when:
     - item.protocol == 'openid'
+    - item.certificate_file is defined
     - inventory_hostname in groups[keystone.group]
 
 - name: Copying OpenStack Identity Providers attribute mappings
diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst
index 126e53c3d9..e5b9b286ce 100644
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@@ -247,8 +247,8 @@ Identity provider's endpoint:
 certificate_file
 ****************
 
-Path to the Identity Provider certificate file, the file must be named as
-'certificate-key-id.pem'. E.g.
+Optional path to the Identity Provider certificate file.  If included,
+the file must be named as 'certificate-key-id.pem'. E.g.:
 
 .. code-block::