diff --git a/cmd/kubeadm/app/phases/certs/certlist_test.go b/cmd/kubeadm/app/phases/certs/certlist_test.go
index fa696db477a..4c223224e3c 100644
--- a/cmd/kubeadm/app/phases/certs/certlist_test.go
+++ b/cmd/kubeadm/app/phases/certs/certlist_test.go
@@ -27,6 +27,7 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 
 	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
+	kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	"k8s.io/kubernetes/cmd/kubeadm/app/util/pkiutil"
 )
 
@@ -222,3 +223,81 @@ func parseCertAndKey(basePath string, t *testing.T) (*x509.Certificate, crypto.P
 
 	return parsedCert, certPair.PrivateKey
 }
+
+func TestCreateKeyAndCSR(t *testing.T) {
+	dir, err := os.MkdirTemp("", t.Name())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(dir)
+
+	validKubeadmConfig := &kubeadmapi.InitConfiguration{
+		NodeRegistration: kubeadmapi.NodeRegistrationOptions{
+			Name: "test-node",
+		},
+		ClusterConfiguration: kubeadmapi.ClusterConfiguration{
+			CertificatesDir: dir,
+		},
+	}
+	validKubeadmCert := &KubeadmCert{
+		Name:     "ca",
+		LongName: "self-signed Kubernetes CA to provision identities for other Kubernetes components",
+		BaseName: kubeadmconstants.CACertAndKeyBaseName,
+		config: pkiutil.CertConfig{
+			Config: certutil.Config{
+				CommonName: "kubernetes",
+			},
+		},
+	}
+
+	type args struct {
+		kubeadmConfig *kubeadmapi.InitConfiguration
+		cert          *KubeadmCert
+	}
+	tests := []struct {
+		name       string
+		args       args
+		wantErr    bool
+		createfile bool
+	}{
+		{
+			name: "kubeadmConfig is nil",
+			args: args{
+				kubeadmConfig: nil,
+				cert:          validKubeadmCert,
+			},
+			wantErr: true,
+		},
+		{
+			name: "cert is nil",
+			args: args{
+				kubeadmConfig: validKubeadmConfig,
+				cert:          nil,
+			},
+			wantErr: true,
+		},
+		{
+			name: "key and CSR do not exist",
+			args: args{
+				kubeadmConfig: validKubeadmConfig,
+				cert:          validKubeadmCert,
+			},
+			wantErr: false,
+		},
+		{
+			name: "key or CSR already exist",
+			args: args{
+				kubeadmConfig: validKubeadmConfig,
+				cert:          validKubeadmCert,
+			},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := createKeyAndCSR(tt.args.kubeadmConfig, tt.args.cert); (err != nil) != tt.wantErr {
+				t.Errorf("createKeyAndCSR() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}