diff --git a/cmd/kubeadm/app/cmd/init.go b/cmd/kubeadm/app/cmd/init.go
index 061f37ee722..fcc9630cde0 100644
--- a/cmd/kubeadm/app/cmd/init.go
+++ b/cmd/kubeadm/app/cmd/init.go
@@ -200,17 +200,18 @@ func (i *Init) Validate() error {
 // Run executes master node provisioning, including certificates, needed static pod manifests, etc.
 func (i *Init) Run(out io.Writer) error {
 
-	// PHASE 1: Generate certificates
-	caCert, err := certphase.CreatePKIAssets(i.cfg, kubeadmapi.GlobalEnvParams.HostPKIPath)
-	if err != nil {
-		return err
-	}
-
-	// Exception:
+	// Validate token if any, otherwise generate
 	if i.cfg.Discovery.Token != nil {
-		// Validate token
-		if valid, err := kubeadmutil.ValidateToken(i.cfg.Discovery.Token); valid == false {
-			return err
+		if i.cfg.Discovery.Token.ID != "" && i.cfg.Discovery.Token.Secret != "" {
+			fmt.Printf("[token-discovery] A token has been provided, validating [%+v]\n", i.cfg.Discovery.Token)
+			if valid, err := kubeadmutil.ValidateToken(i.cfg.Discovery.Token); valid == false {
+				return err
+			}
+		} else {
+			fmt.Printf("[token-discovery] A token has not been provided, generating one\n")
+			if err := kubeadmutil.GenerateToken(i.cfg.Discovery.Token); err != nil {
+				return err
+			}
 		}
 
 		// Make sure there is at least one address
@@ -227,6 +228,12 @@ func (i *Init) Run(out io.Writer) error {
 		}
 	}
 
+	// PHASE 1: Generate certificates
+	caCert, err := certphase.CreatePKIAssets(i.cfg, kubeadmapi.GlobalEnvParams.HostPKIPath)
+	if err != nil {
+		return err
+	}
+
 	// PHASE 2: Generate kubeconfig files for the admin and the kubelet
 
 	// TODO this is not great, but there is only one address we can use here