diff --git a/lib/cache/cache.go b/lib/cache/cache.go
index 86b01f1102b58..0c7fcf855e640 100644
--- a/lib/cache/cache.go
+++ b/lib/cache/cache.go
@@ -542,7 +542,12 @@ func (c *Cache) processEvent(event services.Event) error {
 // GetCertAuthority returns certificate authority by given id. Parameter loadSigningKeys
 // controls if signing keys are loaded
 func (c *Cache) GetCertAuthority(id services.CertAuthID, loadSigningKeys bool, opts ...services.MarshalOption) (services.CertAuthority, error) {
-	return c.trustCache.GetCertAuthority(id, loadSigningKeys, services.AddOptions(opts, services.SkipValidation())...)
+	ca, err := c.trustCache.GetCertAuthority(id, loadSigningKeys, services.AddOptions(opts, services.SkipValidation())...)
+	// this is to prevent unexpected situations during cache reload
+	if trace.IsNotFound(err) {
+		return c.Trust.GetCertAuthority(id, loadSigningKeys, services.AddOptions(opts, services.SkipValidation())...)
+	}
+	return ca, err
 }
 
 // GetCertAuthorities returns a list of authorities of a given type