diff --git a/pkg/kubeapiserver/authenticator/config.go b/pkg/kubeapiserver/authenticator/config.go
index 52715eb3087..a08d0ee38ca 100644
--- a/pkg/kubeapiserver/authenticator/config.go
+++ b/pkg/kubeapiserver/authenticator/config.go
@@ -19,6 +19,7 @@ package authenticator
 import (
 	"errors"
 	"fmt"
+	"os"
 	"time"
 
 	utilnet "k8s.io/apimachinery/pkg/util/net"
@@ -158,7 +159,7 @@ func (config Config) New() (authenticator.Request, *spec.SecurityDefinitions, er
 		var oidcCAContent oidc.CAContentProvider
 		if len(config.OIDCCAFile) != 0 {
 			var oidcCAErr error
-			oidcCAContent, oidcCAErr = dynamiccertificates.NewDynamicCAContentFromFile("oidc-authenticator", config.OIDCCAFile)
+			oidcCAContent, oidcCAErr = staticCAContentProviderFromFile("oidc-authenticator", config.OIDCCAFile)
 			if oidcCAErr != nil {
 				return nil, nil, oidcCAErr
 			}
@@ -318,3 +319,12 @@ func newWebhookTokenAuthenticator(config Config) (authenticator.Token, error) {
 
 	return tokencache.New(webhookTokenAuthenticator, false, config.WebhookTokenAuthnCacheTTL, config.WebhookTokenAuthnCacheTTL), nil
 }
+
+func staticCAContentProviderFromFile(purpose, filename string) (dynamiccertificates.CAContentProvider, error) {
+	fileBytes, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+
+	return dynamiccertificates.NewStaticCAContent(purpose, fileBytes)
+}