diff --git a/builtin/logical/pki/backend.go b/builtin/logical/pki/backend.go
index 5d525a2ad332..c83a1767a48d 100644
--- a/builtin/logical/pki/backend.go
+++ b/builtin/logical/pki/backend.go
@@ -583,6 +583,15 @@ func (b *backend) invalidate(ctx context.Context, key string) {
 }
 
 func (b *backend) periodicFunc(ctx context.Context, request *logical.Request) error {
+	if b.useLegacyBundleCaStorage() {
+		b.Logger().Info("periodicFunc: Performing extra PKI backend migration")
+		if err := b.initialize(ctx, &logical.InitializationRequest{}); err != nil {
+			b.Logger().Error("periodicFunc: extra PKI backend migration failed")
+			return err
+		}
+		b.Logger().Info("periodicFunc: extra PKI backend migration succeeded")
+	}
+
 	sc := b.makeStorageContext(ctx, request.Storage)
 
 	doCRL := func() error {
diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go
index fc5476bef05f..423373cae5a8 100644
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -125,17 +125,22 @@ func (b *backend) pathCADeleteRoot(ctx context.Context, req *logical.Request, _
 }
 
 func (b *backend) pathCAGenerateRoot(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	// Since we're planning on updating issuers here, grab the lock so we've
-	// got a consistent view.
-	b.issuersLock.Lock()
-	defer b.issuersLock.Unlock()
-
 	var err error
 
 	if b.useLegacyBundleCaStorage() {
-		return logical.ErrorResponse("Can not create root CA until migration has completed"), nil
+		// Try to do migration
+		b.Logger().Info("pathCAGenerateRoot: Performing extra PKI backend migration")
+		if err = b.initialize(ctx, &logical.InitializationRequest{}); err != nil {
+			return logical.ErrorResponse("Could not migrate, can not create root CA until migration has completed"), nil
+		}
+		b.Logger().Info("pathCAGenerateRoot: extra PKI backend migration succeeded")
 	}
 
+	// Since we're planning on updating issuers here, grab the lock so we've
+	// got a consistent view.
+	b.issuersLock.Lock()
+	defer b.issuersLock.Unlock()
+
 	sc := b.makeStorageContext(ctx, req.Storage)
 
 	exported, format, role, errorResp := getGenerationParams(sc, data)
diff --git a/builtin/plugin/backend.go b/builtin/plugin/backend.go
index 04606bcbd288..e283af0eea04 100644
--- a/builtin/plugin/backend.go
+++ b/builtin/plugin/backend.go
@@ -156,9 +156,13 @@ func (b *PluginBackend) startBackend(ctx context.Context, storage logical.Storag
 	b.loaded = true
 
 	// call Initialize() explicitly here.
-	return b.Backend.Initialize(ctx, &logical.InitializationRequest{
+	err = b.Backend.Initialize(ctx, &logical.InitializationRequest{
 		Storage: storage,
 	})
+	if err != nil {
+		b.Logger().Error("startBackend: backend initialize() failed, will be retried")
+	}
+	return err
 }
 
 // lazyLoad lazy-loads the backend before running a method