diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
index dac477429c0..d416a8b0434 100644
--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers.go
@@ -247,13 +247,8 @@ func CertOrKeyExist(pkiPath, name string) bool {
 
 	_, certErr := os.Stat(certificatePath)
 	_, keyErr := os.Stat(privateKeyPath)
-	if os.IsNotExist(certErr) && os.IsNotExist(keyErr) {
-		// The cert and the key do not exist
-		return false
-	}
 
-	// Both files exist or one of them
-	return true
+	return !(os.IsNotExist(certErr) && os.IsNotExist(keyErr))
 }
 
 // CSROrKeyExist returns true if one of the CSR or key exists
diff --git a/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go b/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go
index 9e5acc713f0..8eb8a8310c1 100644
--- a/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go
+++ b/cmd/kubeadm/app/util/pkiutil/pki_helpers_test.go
@@ -262,12 +262,16 @@ func TestCertOrKeyExist(t *testing.T) {
 	}
 	defer os.RemoveAll(tmpdir)
 
-	caCert := &x509.Certificate{}
-	actual := WriteCertAndKey(tmpdir, "foo", caCert, rootCAKey)
-	if actual != nil {
+	if err = WriteCertAndKey(tmpdir, "foo-0", rootCACert, rootCAKey); err != nil {
 		t.Errorf(
 			"failed WriteCertAndKey with an error: %v",
-			actual,
+			err,
+		)
+	}
+	if err = WriteCert(tmpdir, "foo-1", rootCACert); err != nil {
+		t.Errorf(
+			"failed WriteCert with an error: %v",
+			err,
 		)
 	}
 
@@ -284,9 +288,15 @@ func TestCertOrKeyExist(t *testing.T) {
 			expected: false,
 		},
 		{
-			desc:     "valid path and name",
+			desc:     "valid path and name, both cert and key exist",
 			path:     tmpdir,
-			name:     "foo",
+			name:     "foo-0",
+			expected: true,
+		},
+		{
+			desc:     "valid path and name, only cert exist",
+			path:     tmpdir,
+			name:     "foo-1",
 			expected: true,
 		},
 	}