diff --git a/cmd/cert.go b/cmd/cert.go
index c1e04a8d..b583dcce 100644
--- a/cmd/cert.go
+++ b/cmd/cert.go
@@ -2,11 +2,10 @@ package cmd
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"time"
 
-	"github.com/sirupsen/logrus"
-
 	"github.com/rancher/rke/cluster"
 	"github.com/rancher/rke/hosts"
 	"github.com/rancher/rke/log"
@@ -14,6 +13,7 @@ import (
 	"github.com/rancher/rke/pki/cert"
 	"github.com/rancher/rke/services"
 	v3 "github.com/rancher/types/apis/management.cattle.io/v3"
+	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli"
 )
 
@@ -236,6 +236,21 @@ func rotateRKECertificates(ctx context.Context, kubeCluster *cluster.Cluster, fl
 		return nil, fmt.Errorf("Failed to rotate certificates: can't find old certificates")
 	}
 	currentCluster.RotateCertificates = kubeCluster.RotateCertificates
+	if !kubeCluster.RotateCertificates.CACertificates {
+		caCertPKI, ok := rkeFullState.CurrentState.CertificatesBundle[pki.CACertName]
+		if !ok {
+			return nil, fmt.Errorf("Failed to rotate certificates: can't find CA certificate")
+		}
+		caCert := caCertPKI.Certificate
+		if caCert == nil {
+			return nil, fmt.Errorf("Failed to rotate certificates: CA certificate is nil")
+		}
+		certPool := x509.NewCertPool()
+		certPool.AddCert(caCert)
+		if _, err := caCert.Verify(x509.VerifyOptions{Roots: certPool, KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}}); err != nil {
+			return nil, fmt.Errorf("Failed to rotate certificates: CA certificate is invalid, please use the --rotate-ca flag to rotate CA certificate, error: %v", err)
+		}
+	}
 	if err := cluster.RotateRKECertificates(ctx, currentCluster, flags, rkeFullState); err != nil {
 		return nil, err
 	}
diff --git a/cmd/etcd.go b/cmd/etcd.go
index cd2b35e6..17b19a54 100644
--- a/cmd/etcd.go
+++ b/cmd/etcd.go
@@ -206,6 +206,7 @@ func validateCerts(state cluster.State) error {
 			} else {
 				failedErrs = errors.Wrap(failedErrs, fmt.Sprintf("Certificate [%s] is nil", certPKI.Name))
 			}
+			continue
 		}
 
 		certPool := x509.NewCertPool()