diff --git a/cmd/kubeadm/app/discovery/token/token.go b/cmd/kubeadm/app/discovery/token/token.go
index cd56f5bf368..80275e00467 100644
--- a/cmd/kubeadm/app/discovery/token/token.go
+++ b/cmd/kubeadm/app/discovery/token/token.go
@@ -62,7 +62,7 @@ func retrieveValidatedConfigInfo(client clientset.Interface, cfg *kubeadmapi.Dis
 	// Load the CACertHashes into a pubkeypin.Set
 	pubKeyPins := pubkeypin.NewSet()
 	if err = pubKeyPins.Allow(cfg.BootstrapToken.CACertHashes...); err != nil {
-		return nil, err
+		return nil, errors.Wrap(err, "invalid discovery token CA certificate hash")
 	}
 
 	duration := cfg.Timeout.Duration
diff --git a/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go b/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
index fb157160d6a..9bef3f9cf58 100644
--- a/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
+++ b/cmd/kubeadm/app/util/pubkeypin/pubkeypin.go
@@ -32,6 +32,11 @@ const (
 	formatSHA256 = "sha256"
 )
 
+var (
+	// supportedFormats enumerates the supported formats
+	supportedFormats = strings.Join([]string{formatSHA256}, ", ")
+)
+
 // Set is a set of pinned x509 public keys.
 type Set struct {
 	sha256Hashes map[string]bool
@@ -47,7 +52,8 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
 	for _, pubKeyHash := range pubKeyHashes {
 		parts := strings.Split(pubKeyHash, ":")
 		if len(parts) != 2 {
-			return errors.New("invalid public key hash, expected \"format:value\"")
+			return errors.Errorf("invalid hash, expected \"format:hex-value\". "+
+				"Known format(s) are: %s", supportedFormats)
 		}
 		format, value := parts[0], parts[1]
 
@@ -55,7 +61,7 @@ func (s *Set) Allow(pubKeyHashes ...string) error {
 		case "sha256":
 			return s.allowSHA256(value)
 		default:
-			return errors.Errorf("unknown hash format %q", format)
+			return errors.Errorf("unknown hash format %q. Known format(s) are: %s", format, supportedFormats)
 		}
 	}
 	return nil
@@ -99,7 +105,7 @@ func (s *Set) allowSHA256(hash string) error {
 	// validate that the hash is valid hex
 	_, err := hex.DecodeString(hash)
 	if err != nil {
-		return err
+		return errors.Wrap(err, "could not decode SHA-256 from hex")
 	}
 
 	// in the end, just store the original hex string in memory (in lowercase)