diff --git a/cluster/kubectl.go b/cluster/kubectl.go
index b8ecf2b1..2379e328 100644
--- a/cluster/kubectl.go
+++ b/cluster/kubectl.go
@@ -23,12 +23,20 @@ type KubectlCommand struct {
 
 func (c *Cluster) buildClusterConfigEnv() []string {
 	// This needs to be updated when add more configuration
-	return []string{
-		pki.ConvertConfigToENV(pki.KubeAdminConfigENVName, c.Certificates[pki.KubeAdminCommonName].Config),
-		pki.ConvertConfigToENV(ClusterCIDREnvName, c.ClusterCIDR),
-		pki.ConvertConfigToENV(ClusterDNSServerIPEnvName, c.ClusterDNSServer),
-		pki.ConvertConfigToENV(ClusterDomainEnvName, c.ClusterDomain),
+	environmentMap := map[string]string{
+		ClusterCIDREnvName:        c.ClusterCIDR,
+		ClusterDNSServerIPEnvName: c.ClusterDNSServer,
+		ClusterDomainEnvName:      c.ClusterDomain,
 	}
+	adminConfig := c.Certificates[pki.KubeAdminCommonName]
+	//build ClusterConfigEnv
+	env := []string{
+		adminConfig.ConfigToEnv(),
+	}
+	for k, v := range environmentMap {
+		env = append(env, fmt.Sprintf("%s=%s", k, v))
+	}
+	return env
 }
 
 func (c *Cluster) RunKubectlCmd(kubectlCmd *KubectlCommand) error {
diff --git a/pki/deploy.go b/pki/deploy.go
index 505c7587..b76b93b8 100644
--- a/pki/deploy.go
+++ b/pki/deploy.go
@@ -2,8 +2,6 @@ package pki
 
 import (
 	"context"
-	"crypto/rsa"
-	"crypto/x509"
 	"fmt"
 	"io/ioutil"
 	"time"
@@ -13,42 +11,24 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/rancher/rke/docker"
 	"github.com/rancher/rke/hosts"
-	"k8s.io/client-go/util/cert"
 )
 
-func ConvertCrtToENV(name string, certificate *x509.Certificate) string {
-	encodedCrt := cert.EncodeCertPEM(certificate)
-	return fmt.Sprintf("%s=%s", name, string(encodedCrt))
-}
-
-func ConvertKeyToENV(name string, key *rsa.PrivateKey) string {
-	encodedKey := cert.EncodePrivateKeyPEM(key)
-	return fmt.Sprintf("%s=%s", name, string(encodedKey))
-}
-
-func ConvertConfigToENV(name string, config string) string {
-	return fmt.Sprintf("%s=%s", name, config)
-}
-
 func DeployCertificatesOnMasters(cpHosts []hosts.Host, crtMap map[string]CertificatePKI) error {
-	env := []string{
-		ConvertCrtToENV(CACertENVName, crtMap[CACertName].Certificate),
-		ConvertKeyToENV(CAKeyENVName, crtMap[CACertName].Key),
-		ConvertCrtToENV(KubeAPICertENVName, crtMap[KubeAPICertName].Certificate),
-		ConvertKeyToENV(KubeAPIKeyENVName, crtMap[KubeAPICertName].Key),
-		ConvertCrtToENV(KubeControllerCertENVName, crtMap[KubeControllerName].Certificate),
-		ConvertKeyToENV(KubeControllerKeyENVName, crtMap[KubeControllerName].Key),
-		ConvertConfigToENV(KubeControllerConfigENVName, crtMap[KubeControllerName].Config),
-		ConvertCrtToENV(KubeSchedulerCertENVName, crtMap[KubeSchedulerName].Certificate),
-		ConvertKeyToENV(KubeSchedulerKeyENVName, crtMap[KubeSchedulerName].Key),
-		ConvertConfigToENV(KubeSchedulerConfigENVName, crtMap[KubeSchedulerName].Config),
-		ConvertCrtToENV(KubeProxyCertENVName, crtMap[KubeProxyName].Certificate),
-		ConvertKeyToENV(KubeProxyKeyENVName, crtMap[KubeProxyName].Key),
-		ConvertConfigToENV(KubeProxyConfigENVName, crtMap[KubeProxyName].Config),
-		ConvertCrtToENV(KubeNodeCertENVName, crtMap[KubeNodeName].Certificate),
-		ConvertKeyToENV(KubeNodeKeyENVName, crtMap[KubeNodeName].Key),
-		ConvertConfigToENV(KubeNodeConfigENVName, crtMap[KubeNodeName].Config),
+	// list of certificates that should be deployed on the masters
+	crtList := []string{
+		CACertName,
+		KubeAPICertName,
+		KubeControllerName,
+		KubeSchedulerName,
+		KubeProxyName,
+		KubeNodeName,
 	}
+	env := []string{}
+	for _, crtName := range crtList {
+		c := crtMap[crtName]
+		env = append(env, c.ToEnv()...)
+	}
+
 	for i := range cpHosts {
 		err := doRunDeployer(&cpHosts[i], env)
 		if err != nil {
@@ -59,15 +39,18 @@ func DeployCertificatesOnMasters(cpHosts []hosts.Host, crtMap map[string]Certifi
 }
 
 func DeployCertificatesOnWorkers(workerHosts []hosts.Host, crtMap map[string]CertificatePKI) error {
-	env := []string{
-		ConvertCrtToENV(CACertENVName, crtMap[CACertName].Certificate),
-		ConvertCrtToENV(KubeProxyCertENVName, crtMap[KubeProxyName].Certificate),
-		ConvertKeyToENV(KubeProxyKeyENVName, crtMap[KubeProxyName].Key),
-		ConvertConfigToENV(KubeProxyConfigENVName, crtMap[KubeProxyName].Config),
-		ConvertCrtToENV(KubeNodeCertENVName, crtMap[KubeNodeName].Certificate),
-		ConvertKeyToENV(KubeNodeKeyENVName, crtMap[KubeNodeName].Key),
-		ConvertConfigToENV(KubeNodeConfigENVName, crtMap[KubeNodeName].Config),
+	// list of certificates that should be deployed on the workers
+	crtList := []string{
+		CACertName,
+		KubeProxyName,
+		KubeNodeName,
 	}
+	env := []string{}
+	for _, crtName := range crtList {
+		c := crtMap[crtName]
+		env = append(env, c.ToEnv()...)
+	}
+
 	for i := range workerHosts {
 		err := doRunDeployer(&workerHosts[i], env)
 		if err != nil {
diff --git a/pki/pki.go b/pki/pki.go
index bb949859..bb334316 100644
--- a/pki/pki.go
+++ b/pki/pki.go
@@ -12,9 +12,18 @@ import (
 )
 
 type CertificatePKI struct {
-	Certificate *x509.Certificate
-	Key         *rsa.PrivateKey
-	Config      string
+	Certificate   *x509.Certificate
+	Key           *rsa.PrivateKey
+	Config        string
+	Name          string
+	CommonName    string
+	OUName        string
+	EnvName       string
+	Path          string
+	KeyEnvName    string
+	KeyPath       string
+	ConfigEnvName string
+	ConfigPath    string
 }
 
 // StartCertificatesGeneration ...
@@ -39,6 +48,11 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	certs[CACertName] = CertificatePKI{
 		Certificate: caCrt,
 		Key:         caKey,
+		Name:        CACertName,
+		EnvName:     CACertENVName,
+		KeyEnvName:  CAKeyENVName,
+		Path:        CACertPath,
+		KeyPath:     CAKeyPath,
 	}
 
 	// generate API certificate and key
@@ -52,6 +66,11 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	certs[KubeAPICertName] = CertificatePKI{
 		Certificate: kubeAPICrt,
 		Key:         kubeAPIKey,
+		Name:        KubeAPICertName,
+		EnvName:     KubeAPICertENVName,
+		KeyEnvName:  KubeAPIKeyENVName,
+		Path:        KubeAPICertPath,
+		KeyPath:     KubeAPIKeyPath,
 	}
 
 	// generate Kube controller-manager certificate and key
@@ -62,9 +81,17 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	}
 	logrus.Debugf("[certificates] Kube Controller Certificate: %s", string(cert.EncodeCertPEM(kubeControllerCrt)))
 	certs[KubeControllerName] = CertificatePKI{
-		Certificate: kubeControllerCrt,
-		Key:         kubeControllerKey,
-		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeControllerName, CACertPath, KubeControllerCertPath, KubeControllerKeyPath),
+		Certificate:   kubeControllerCrt,
+		Key:           kubeControllerKey,
+		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeControllerName, CACertPath, KubeControllerCertPath, KubeControllerKeyPath),
+		Name:          KubeControllerName,
+		CommonName:    KubeControllerCommonName,
+		EnvName:       KubeControllerCertENVName,
+		KeyEnvName:    KubeControllerKeyENVName,
+		Path:          KubeControllerCertPath,
+		KeyPath:       KubeControllerKeyPath,
+		ConfigEnvName: KubeControllerConfigENVName,
+		ConfigPath:    KubeControllerConfigPath,
 	}
 
 	// generate Kube scheduler certificate and key
@@ -75,9 +102,17 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	}
 	logrus.Debugf("[certificates] Kube Scheduler Certificate: %s", string(cert.EncodeCertPEM(kubeSchedulerCrt)))
 	certs[KubeSchedulerName] = CertificatePKI{
-		Certificate: kubeSchedulerCrt,
-		Key:         kubeSchedulerKey,
-		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeSchedulerName, CACertPath, KubeSchedulerCertPath, KubeSchedulerKeyPath),
+		Certificate:   kubeSchedulerCrt,
+		Key:           kubeSchedulerKey,
+		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeSchedulerName, CACertPath, KubeSchedulerCertPath, KubeSchedulerKeyPath),
+		Name:          KubeSchedulerName,
+		CommonName:    KubeSchedulerCommonName,
+		EnvName:       KubeSchedulerCertENVName,
+		KeyEnvName:    KubeSchedulerKeyENVName,
+		Path:          KubeSchedulerCertPath,
+		KeyPath:       KubeSchedulerKeyPath,
+		ConfigEnvName: KubeSchedulerConfigENVName,
+		ConfigPath:    KubeSchedulerConfigPath,
 	}
 
 	// generate Kube Proxy certificate and key
@@ -88,9 +123,17 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	}
 	logrus.Debugf("[certificates] Kube Proxy Certificate: %s", string(cert.EncodeCertPEM(kubeProxyCrt)))
 	certs[KubeProxyName] = CertificatePKI{
-		Certificate: kubeProxyCrt,
-		Key:         kubeProxyKey,
-		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeProxyName, CACertPath, KubeProxyCertPath, KubeProxyKeyPath),
+		Certificate:   kubeProxyCrt,
+		Key:           kubeProxyKey,
+		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeProxyName, CACertPath, KubeProxyCertPath, KubeProxyKeyPath),
+		Name:          KubeProxyName,
+		CommonName:    KubeProxyCommonName,
+		EnvName:       KubeProxyCertENVName,
+		Path:          KubeProxyCertPath,
+		KeyEnvName:    KubeProxyKeyENVName,
+		KeyPath:       KubeProxyKeyPath,
+		ConfigEnvName: KubeProxyConfigENVName,
+		ConfigPath:    KubeProxyConfigPath,
 	}
 
 	// generate Kubelet certificate and key
@@ -101,9 +144,18 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 	}
 	logrus.Debugf("[certificates] Node Certificate: %s", string(cert.EncodeCertPEM(kubeProxyCrt)))
 	certs[KubeNodeName] = CertificatePKI{
-		Certificate: nodeCrt,
-		Key:         nodeKey,
-		Config:      getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeNodeName, CACertPath, KubeNodeCertPath, KubeNodeKeyPath),
+		Certificate:   nodeCrt,
+		Key:           nodeKey,
+		Config:        getKubeConfigX509("https://"+cpHosts[0].AdvertiseAddress+":6443", KubeNodeName, CACertPath, KubeNodeCertPath, KubeNodeKeyPath),
+		Name:          KubeNodeName,
+		CommonName:    KubeNodeCommonName,
+		OUName:        KubeNodeOrganizationName,
+		EnvName:       KubeNodeCertENVName,
+		KeyEnvName:    KubeNodeKeyENVName,
+		Path:          KubeNodeCertPath,
+		KeyPath:       KubeNodeKeyPath,
+		ConfigEnvName: KubeNodeConfigENVName,
+		ConfigPath:    KubeNodeCommonName,
 	}
 	logrus.Infof("[certificates] Generating admin certificates and kubeconfig")
 	kubeAdminCrt, kubeAdminKey, err := generateClientCertAndKey(caCrt, caKey, KubeAdminCommonName, []string{KubeAdminOrganizationName})
@@ -120,6 +172,10 @@ func generateCerts(cpHosts []hosts.Host, clusterDomain string, KubernetesService
 			string(cert.EncodeCertPEM(caCrt)),
 			string(cert.EncodeCertPEM(kubeAdminCrt)),
 			string(cert.EncodePrivateKeyPEM(kubeAdminKey))),
+		CommonName:    KubeAdminCommonName,
+		OUName:        KubeAdminOrganizationName,
+		ConfigEnvName: KubeAdminConfigENVName,
+		ConfigPath:    KubeAdminConfigPath,
 	}
 	return certs, nil
 }
@@ -200,3 +256,28 @@ func getAltNames(cpHosts []hosts.Host, clusterDomain string, KubernetesServiceIP
 		DNSNames: dnsNames,
 	}
 }
+
+func (c *CertificatePKI) ToEnv() []string {
+	env := []string{
+		c.CertToEnv(),
+		c.KeyToEnv(),
+	}
+	if c.Config != "" {
+		env = append(env, c.ConfigToEnv())
+	}
+	return env
+}
+
+func (c *CertificatePKI) CertToEnv() string {
+	encodedCrt := cert.EncodeCertPEM(c.Certificate)
+	return fmt.Sprintf("%s=%s", c.EnvName, string(encodedCrt))
+}
+
+func (c *CertificatePKI) KeyToEnv() string {
+	encodedKey := cert.EncodePrivateKeyPEM(c.Key)
+	return fmt.Sprintf("%s=%s", c.KeyEnvName, string(encodedKey))
+}
+
+func (c *CertificatePKI) ConfigToEnv() string {
+	return fmt.Sprintf("%s=%s", c.ConfigEnvName, c.Config)
+}