diff --git a/cluster/certificates.go b/cluster/certificates.go
index 6234fecf..5ac55990 100644
--- a/cluster/certificates.go
+++ b/cluster/certificates.go
@@ -22,19 +22,23 @@ func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Clust
 		if currentCluster != nil {
 			kubeCluster.Certificates = currentCluster.Certificates
 		} else {
-			var backupHost *hosts.Host
+			var backupPlane string
+			var backupHosts []*hosts.Host
 			if len(kubeCluster.Services.Etcd.ExternalURLs) > 0 {
-				backupHost = kubeCluster.ControlPlaneHosts[0]
+				backupPlane = ControlPlane
+				backupHosts = kubeCluster.ControlPlaneHosts
 			} else {
-				backupHost = kubeCluster.EtcdHosts[0]
+				backupPlane = EtcdPlane
+				backupHosts = kubeCluster.EtcdHosts
 			}
-			log.Infof(ctx, "[certificates] Attempting to recover certificates from backup on host [%s]", backupHost.Address)
-			kubeCluster.Certificates, err = pki.FetchCertificatesFromHost(ctx, kubeCluster.EtcdHosts, backupHost, kubeCluster.SystemImages.Alpine, kubeCluster.LocalKubeConfigPath, kubeCluster.PrivateRegistriesMap)
+			log.Infof(ctx, "[certificates] Attempting to recover certificates from backup on [%s] hosts", backupPlane)
+
+			kubeCluster.Certificates, err = fetchBackupCertificates(ctx, backupHosts, kubeCluster)
 			if err != nil {
 				return err
 			}
 			if kubeCluster.Certificates != nil {
-				log.Infof(ctx, "[certificates] Certificate backup found on host [%s]", backupHost.Address)
+				log.Infof(ctx, "[certificates] Certificate backup found on[%s] hosts", backupPlane)
 				// this is the case of adding controlplane node on empty cluster with only etcd nodes
 				if kubeCluster.Certificates[pki.KubeAdminCertName].Config == "" && len(kubeCluster.ControlPlaneHosts) > 0 {
 					if err := rebuildLocalAdminConfig(ctx, kubeCluster); err != nil {
@@ -47,17 +51,18 @@ func SetUpAuthentication(ctx context.Context, kubeCluster, currentCluster *Clust
 				}
 				return nil
 			}
-			log.Infof(ctx, "[certificates] No Certificate backup found on host [%s]", backupHost.Address)
+			log.Infof(ctx, "[certificates] No Certificate backup found on [%s] hosts", backupPlane)
 
 			kubeCluster.Certificates, err = pki.GenerateRKECerts(ctx, kubeCluster.RancherKubernetesEngineConfig, kubeCluster.LocalKubeConfigPath, "")
 			if err != nil {
 				return fmt.Errorf("Failed to generate Kubernetes certificates: %v", err)
 			}
-			log.Infof(ctx, "[certificates] Temporarily saving certs to control host [%s]", backupHost.Address)
-			if err := pki.DeployCertificatesOnHost(ctx, backupHost, kubeCluster.Certificates, kubeCluster.SystemImages.CertDownloader, pki.TempCertPath, kubeCluster.PrivateRegistriesMap); err != nil {
+
+			log.Infof(ctx, "[certificates] Temporarily saving certs to [%s] hosts", backupPlane)
+			if err := deployBackupCertificates(ctx, backupHosts, kubeCluster); err != nil {
 				return err
 			}
-			log.Infof(ctx, "[certificates] Saved certs to control host [%s]", backupHost.Address)
+			log.Infof(ctx, "[certificates] Saved certs to [%s] hosts", backupPlane)
 		}
 	}
 	return nil
@@ -176,3 +181,28 @@ func saveCertToKubernetes(kubeClient *kubernetes.Clientset, crtName string, crt
 		return fmt.Errorf("[certificates] Timeout waiting for kubernetes to be ready")
 	}
 }
+
+func deployBackupCertificates(ctx context.Context, backupHosts []*hosts.Host, kubeCluster *Cluster) error {
+	var errgrp errgroup.Group
+
+	for _, host := range backupHosts {
+		runHost := host
+		errgrp.Go(func() error {
+			return pki.DeployCertificatesOnHost(ctx, runHost, kubeCluster.Certificates, kubeCluster.SystemImages.CertDownloader, pki.TempCertPath, kubeCluster.PrivateRegistriesMap)
+		})
+	}
+	return errgrp.Wait()
+}
+
+func fetchBackupCertificates(ctx context.Context, backupHosts []*hosts.Host, kubeCluster *Cluster) (map[string]pki.CertificatePKI, error) {
+	var err error
+	certificates := map[string]pki.CertificatePKI{}
+	for _, host := range backupHosts {
+		certificates, err = pki.FetchCertificatesFromHost(ctx, kubeCluster.EtcdHosts, host, kubeCluster.SystemImages.Alpine, kubeCluster.LocalKubeConfigPath, kubeCluster.PrivateRegistriesMap)
+		if certificates != nil {
+			return certificates, nil
+		}
+	}
+	// reporting the last error only.
+	return nil, err
+}
diff --git a/cluster/cluster.go b/cluster/cluster.go
index a097b63d..c07f6987 100644
--- a/cluster/cluster.go
+++ b/cluster/cluster.go
@@ -61,6 +61,9 @@ const (
 	CloudProvider              = "CloudProvider"
 	AzureCloudProvider         = "azure"
 	AWSCloudProvider           = "aws"
+	ControlPlane               = "controlPlane"
+	WorkerPlane                = "workerPlan"
+	EtcdPlane                  = "etcd"
 )
 
 func (c *Cluster) DeployControlPlane(ctx context.Context) error {