diff --git a/roles/kubernetes/kubeadm/defaults/main.yml b/roles/kubernetes/kubeadm/defaults/main.yml
index 9dc577edf..b6ff3fc7f 100644
--- a/roles/kubernetes/kubeadm/defaults/main.yml
+++ b/roles/kubernetes/kubeadm/defaults/main.yml
@@ -11,8 +11,5 @@ kube_override_hostname: >-
   {{ inventory_hostname }}
   {%- endif -%}
 
-# Requests a fresh upload of certificates from first master
-kubeadm_etcd_refresh_cert_key: true
-
 # Experimental kubeadm etcd deployment mode. Available only for new deployment
 etcd_kubeadm_enabled: false
diff --git a/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml b/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
index 322a34a17..b5c0f2552 100644
--- a/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
+++ b/roles/kubernetes/kubeadm/tasks/kubeadm_etcd_node.yml
@@ -1,18 +1,7 @@
 ---
-- name: Refresh certificates so they are fresh and not expired
-  command: >-
-    {{ bin_dir }}/kubeadm init phase
-    --config {{ kube_config_dir }}/kubeadm-config.yaml
-    upload-certs
-    --upload-certs
-  register: kubeadm_upload_cert
-  delegate_to: "{{ groups['kube-master'][0] }}"
-  when: kubeadm_etcd_refresh_cert_key
-  run_once: yes
-
 - name: Parse certificate key if not set
   set_fact:
-    kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_upload_cert'].stdout_lines[-1] | trim }}"
+    kubeadm_certificate_key: "{{ hostvars[groups['kube-master'][0]]['kubeadm_certificate_key'] }}"
   when: kubeadm_certificate_key is undefined
 
 - name: Pull control plane certs down
diff --git a/scale.yml b/scale.yml
index 510f0aa44..ab1522145 100644
--- a/scale.yml
+++ b/scale.yml
@@ -74,6 +74,25 @@
     - { role: kubernetes/node, tags: node }
   environment: "{{ proxy_env }}"
 
+- name: Upload control plane certs and retrieve encryption key
+  hosts: kube-master | first
+  tags: kubeadm
+  tasks:
+    - name: include needed vars
+      include_vars: roles/kubespray-defaults/defaults/main.yaml
+    - name: Upload control plane certificates
+      command: >-
+        {{ bin_dir }}/kubeadm init phase
+        --config {{ kube_config_dir }}/kubeadm-config.yaml
+        upload-certs
+        --upload-certs
+      register: kubeadm_upload_cert
+      changed_when: false
+    - name: set fact 'kubeadm_certificate_key' for later use
+      set_fact:
+        kubeadm_certificate_key: "{{ kubeadm_upload_cert.stdout_lines[-1] | trim }}"
+      when: kubeadm_certificate_key is not defined
+
 - name: Target only workers to get kubelet installed and checking in on any new nodes(network)
   hosts: kube-node
   gather_facts: False