diff --git a/cluster/state.go b/cluster/state.go
index eccab5c8..a42c0db0 100644
--- a/cluster/state.go
+++ b/cluster/state.go
@@ -174,8 +174,13 @@ func RebuildState(ctx context.Context, rkeConfig *v3.RancherKubernetesEngineConf
 		}
 		newState.DesiredState.CertificatesBundle = certBundle
 	} else {
-		// Regenerating etcd certificates for any new etcd nodes
 		pkiCertBundle := oldState.DesiredState.CertificatesBundle
+		// check for legacy clusters prior to requestheaderca
+		if pkiCertBundle[pki.RequestHeaderCACertName].Certificate == nil {
+			if err := pki.GenerateRKERequestHeaderCACert(ctx, pkiCertBundle, flags.ClusterFilePath, flags.ConfigDir); err != nil {
+				return nil, err
+			}
+		}
 		if err := pki.GenerateRKEServicesCerts(ctx, pkiCertBundle, *rkeConfig, flags.ClusterFilePath, flags.ConfigDir, false); err != nil {
 			return nil, err
 		}
diff --git a/pki/services.go b/pki/services.go
index 72ccd737..9415cab1 100644
--- a/pki/services.go
+++ b/pki/services.go
@@ -400,6 +400,13 @@ func GenerateServiceTokenKey(ctx context.Context, certs map[string]CertificatePK
 }
 
 func GenerateRKECACerts(ctx context.Context, certs map[string]CertificatePKI, configPath, configDir string) error {
+	if err := GenerateRKEMasterCACert(ctx, certs, configPath, configDir); err != nil {
+		return err
+	}
+	return GenerateRKERequestHeaderCACert(ctx, certs, configPath, configDir)
+}
+
+func GenerateRKEMasterCACert(ctx context.Context, certs map[string]CertificatePKI, configPath, configDir string) error {
 	// generate kubernetes CA certificate and key
 	log.Infof(ctx, "[certificates] Generating CA kubernetes certificates")
 
@@ -408,7 +415,10 @@ func GenerateRKECACerts(ctx context.Context, certs map[string]CertificatePKI, co
 		return err
 	}
 	certs[CACertName] = ToCertObject(CACertName, "", "", caCrt, caKey, nil)
+	return nil
+}
 
+func GenerateRKERequestHeaderCACert(ctx context.Context, certs map[string]CertificatePKI, configPath, configDir string) error {
 	// generate request header client CA certificate and key
 	log.Infof(ctx, "[certificates] Generating Kubernetes API server aggregation layer requestheader client CA certificates")
 	requestHeaderCACrt, requestHeaderCAKey, err := GenerateCACertAndKey(RequestHeaderCACertName, nil)