diff --git a/cluster/certificates.go b/cluster/certificates.go
index 18260c5b..8113da65 100644
--- a/cluster/certificates.go
+++ b/cluster/certificates.go
@@ -37,7 +37,8 @@ func regenerateAPICertificate(c *Cluster, certificates map[string]pki.Certificat
 	kubeAPIAltNames := pki.GetAltNames(c.ControlPlaneHosts, c.ClusterDomain, c.KubernetesServiceIP)
 	caCrt := certificates[pki.CACertName].Certificate
 	caKey := certificates[pki.CACertName].Key
-	kubeAPICert, kubeAPIKey, err := pki.GenerateKubeAPICertAndKey(caCrt, caKey, kubeAPIAltNames)
+	kubeAPIKey := certificates[pki.KubeAPICertName].Key
+	kubeAPICert, err := pki.GenerateCertWithKey(pki.KubeAPICertName, kubeAPIKey, caCrt, caKey, kubeAPIAltNames)
 	if err != nil {
 		return nil, err
 	}
diff --git a/pki/pki.go b/pki/pki.go
index 4fb20a24..650e4622 100644
--- a/pki/pki.go
+++ b/pki/pki.go
@@ -216,6 +216,20 @@ func GenerateKubeAPICertAndKey(caCrt *x509.Certificate, caKey *rsa.PrivateKey, a
 	return kubeCACert, rootKey, nil
 }
 
+func GenerateCertWithKey(commonName string, key *rsa.PrivateKey, caCrt *x509.Certificate, caKey *rsa.PrivateKey, altNames *cert.AltNames) (*x509.Certificate, error) {
+	caConfig := cert.Config{
+		CommonName: commonName,
+		Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth},
+		AltNames: *altNames,
+	}
+	cert, err := cert.NewSignedCert(caConfig, key, caCrt, caKey)
+	if err != nil {
+		return nil, fmt.Errorf("Failed to generate certificate with existing key: %v", err)
+	}
+	return cert, nil
+}
+
 func generateCACertAndKey() (*x509.Certificate, *rsa.PrivateKey, error) {
 	rootKey, err := cert.NewPrivateKey()
 	if err != nil {