diff --git a/bindata/bootkube/config/bootstrap-config-overrides.yaml b/bindata/bootkube/config/bootstrap-config-overrides.yaml
index ecd04325e..d12309c5a 100644
--- a/bindata/bootkube/config/bootstrap-config-overrides.yaml
+++ b/bindata/bootkube/config/bootstrap-config-overrides.yaml
@@ -2,7 +2,7 @@ apiVersion: kubecontrolplane.config.openshift.io/v1
 kind: KubeControllerManagerConfig
 extendedArguments:
   root-ca-file:
-  - "/etc/kubernetes/secrets/kube-ca.crt"
+  - "/etc/kubernetes/secrets/kube-apiserver-complete-server-ca-bundle.crt"
   service-account-private-key-file:
   - "/etc/kubernetes/secrets/service-account.key"
   cluster-signing-cert-file:
diff --git a/bindata/bootkube/config/config-overrides.yaml b/bindata/bootkube/config/config-overrides.yaml
index 5e2ff1a78..87b5e0796 100644
--- a/bindata/bootkube/config/config-overrides.yaml
+++ b/bindata/bootkube/config/config-overrides.yaml
@@ -1,8 +1,6 @@
 apiVersion: kubecontrolplane.config.openshift.io/v1
 kind: KubeControllerManagerConfig
 extendedArguments:
-  service-account-private-key-file:
-  - "/var/run/secrets/service-account-private-key/service-account.key"
   cluster-signing-cert-file:
   - "/var/run/secrets/cluster-signing-ca/kube-ca.crt"
   cluster-signing-key-file:
diff --git a/bindata/bootkube/manifests/configmap-initial-kube-controller-manager-serviceaccount-ca.yaml b/bindata/bootkube/manifests/configmap-initial-kube-controller-manager-serviceaccount-ca.yaml
deleted file mode 100644
index 12ed540ca..000000000
--- a/bindata/bootkube/manifests/configmap-initial-kube-controller-manager-serviceaccount-ca.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: initial-serviceaccount-ca
-  namespace: openshift-config
-data:
-  ca-bundle.crt: |
-    {{ .Assets | load "kube-ca.crt" | indent 4 }}
-
diff --git a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
index d9b05414e..f8104a247 100644
--- a/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
+++ b/pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -230,10 +230,8 @@ func manageServiceAccountCABundle(lister corev1listers.ConfigMapLister, client c
 	requiredConfigMap, err := resourcesynccontroller.CombineCABundleConfigMaps(
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.TargetNamespace, Name: "serviceaccount-ca"},
 		lister, client, recorder,
-		// include ca bundles from the installer
-		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalUserSpecifiedConfigNamespace, Name: "initial-serviceaccount-ca"},
 		// include the ca bundle needed to recognize the server
-		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "managed-kube-apiserver-serving-cert-signer"},
+		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "kube-apiserver-server-ca"},
 		// include the ca bundle needed to recognize default
 		// certificates generated by cluster-ingress-operator
 		resourcesynccontroller.ResourceLocation{Namespace: operatorclient.GlobalMachineSpecifiedConfigNamespace, Name: "router-ca"},