diff --git a/installer/cmd/tectonic/main.go b/installer/cmd/tectonic/main.go
index fc37d53bb43..1e00390eaa1 100644
--- a/installer/cmd/tectonic/main.go
+++ b/installer/cmd/tectonic/main.go
@@ -14,8 +14,7 @@ var (
 	clusterInitConfigFlag = clusterInitCommand.Flag("config", "Cluster specification file").Required().ExistingFile()
 
 	clusterInstallCommand          = kingpin.Command("install", "Create a new Tectonic cluster")
-	clusterInstallTLSCommand       = clusterInstallCommand.Command("tls", "Generate TLS Certificates.")
-	clusterInstallTLSNewCommand    = clusterInstallCommand.Command("newtls", "Generate TLS Certificates, using a new engine (experimental)")
+	clusterInstallTLSNewCommand    = clusterInstallCommand.Command("tls", "Generate TLS Certificates.")
 	clusterInstallAssetsCommand    = clusterInstallCommand.Command("assets", "Generate Tectonic assets.")
 	clusterInstallBootstrapCommand = clusterInstallCommand.Command("bootstrap", "Create a single bootstrap node Tectonic cluster.")
 	clusterInstallFullCommand      = clusterInstallCommand.Command("full", "Create a new Tectonic cluster").Default()
@@ -39,8 +38,6 @@ func main() {
 		w = workflow.InitWorkflow(*clusterInitConfigFlag)
 	case clusterInstallFullCommand.FullCommand():
 		w = workflow.InstallFullWorkflow(*clusterInstallDirFlag)
-	case clusterInstallTLSCommand.FullCommand():
-		w = workflow.InstallTLSWorkflow(*clusterInstallDirFlag)
 	case clusterInstallTLSNewCommand.FullCommand():
 		w = workflow.InstallTLSNewWorkflow(*clusterInstallDirFlag)
 	case clusterInstallAssetsCommand.FullCommand():
diff --git a/installer/pkg/config-generator/tls.go b/installer/pkg/config-generator/tls.go
index 03e0cee245a..1ec2bea95e4 100644
--- a/installer/pkg/config-generator/tls.go
+++ b/installer/pkg/config-generator/tls.go
@@ -17,33 +17,33 @@ import (
 )
 
 const (
-	adminCertPath            = "generated/newTLS/admin.crt"
-	adminKeyPath             = "generated/newTLS/admin.key"
-	aggregatorCACertPath     = "generated/newTLS/aggregator-ca.crt"
-	aggregatorCAKeyPath      = "generated/newTLS/aggregator-ca.key"
-	apiServerCertPath        = "generated/newTLS/apiserver.crt"
-	apiServerKeyPath         = "generated/newTLS/apiserver.key"
-	apiServerProxyCertPath   = "generated/newTLS/apiserver-proxy.crt"
-	apiServerProxyKeyPath    = "generated/newTLS/apiserver-proxy.key"
-	etcdCACertPath           = "generated/newTLS/etcd-ca.crt"
-	etcdCAKeyPath            = "generated/newTLS/etcd-ca.key"
-	etcdClientCertPath       = "generated/newTLS/etcd-client.crt"
-	etcdClientKeyPath        = "generated/newTLS/etcd-client.key"
-	ingressCACertPath        = "generated/newTLS/ingress-ca.crt"
-	ingressCertPath          = "generated/newTLS/ingress.crt"
-	ingressKeyPath           = "generated/newTLS/ingress.key"
-	kubeCACertPath           = "generated/newTLS/kube-ca.crt"
-	kubeCAKeyPath            = "generated/newTLS/kube-ca.key"
-	kubeletCertPath          = "generated/newTLS/kubelet.crt"
-	kubeletKeyPath           = "generated/newTLS/kubelet.key"
-	osAPIServerCertPath      = "generated/newTLS/openshift-apiserver.crt"
-	osAPIServerKeyPath       = "generated/newTLS/openshift-apiserver.key"
-	rootCACertPath           = "generated/newTLS/root-ca.crt"
-	rootCAKeyPath            = "generated/newTLS/root-ca.key"
-	serviceServingCACertPath = "generated/newTLS/service-serving-ca.crt"
-	serviceServingCAKeyPath  = "generated/newTLS/service-serving-ca.key"
-	tncCertPath              = "generated/newTLS/tnc.crt"
-	tncKeyPath               = "generated/newTLS/tnc.key"
+	adminCertPath            = "generated/tls/admin.crt"
+	adminKeyPath             = "generated/tls/admin.key"
+	aggregatorCACertPath     = "generated/tls/aggregator-ca.crt"
+	aggregatorCAKeyPath      = "generated/tls/aggregator-ca.key"
+	apiServerCertPath        = "generated/tls/apiserver.crt"
+	apiServerKeyPath         = "generated/tls/apiserver.key"
+	apiServerProxyCertPath   = "generated/tls/apiserver-proxy.crt"
+	apiServerProxyKeyPath    = "generated/tls/apiserver-proxy.key"
+	etcdCACertPath           = "generated/tls/etcd-ca.crt"
+	etcdCAKeyPath            = "generated/tls/etcd-ca.key"
+	etcdClientCertPath       = "generated/tls/etcd-client.crt"
+	etcdClientKeyPath        = "generated/tls/etcd-client.key"
+	ingressCACertPath        = "generated/tls/ingress-ca.crt"
+	ingressCertPath          = "generated/tls/ingress.crt"
+	ingressKeyPath           = "generated/tls/ingress.key"
+	kubeCACertPath           = "generated/tls/kube-ca.crt"
+	kubeCAKeyPath            = "generated/tls/kube-ca.key"
+	kubeletCertPath          = "generated/tls/kubelet.crt"
+	kubeletKeyPath           = "generated/tls/kubelet.key"
+	osAPIServerCertPath      = "generated/tls/openshift-apiserver.crt"
+	osAPIServerKeyPath       = "generated/tls/openshift-apiserver.key"
+	rootCACertPath           = "generated/tls/root-ca.crt"
+	rootCAKeyPath            = "generated/tls/root-ca.key"
+	serviceServingCACertPath = "generated/tls/service-serving-ca.crt"
+	serviceServingCAKeyPath  = "generated/tls/service-serving-ca.key"
+	tncCertPath              = "generated/tls/tnc.crt"
+	tncKeyPath               = "generated/tls/tnc.key"
 
 	validityThreeYears = time.Hour * 24 * 365 * 3
 )
@@ -91,6 +91,15 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error {
 		return fmt.Errorf("failed to generate etcd CA: %v", err)
 	}
 
+	err = copy.Copy(filepath.Join(clusterDir, etcdCAKeyPath), filepath.Join(clusterDir, "generated/tls/etcd-client-ca.key"))
+	if err != nil {
+		return fmt.Errorf("failed to import etcd CA key into etcd-client-ca.key: %v", err)
+	}
+	err = copy.Copy(filepath.Join(clusterDir, etcdCACertPath), filepath.Join(clusterDir, "generated/tls/etcd-client-ca.crt"))
+	if err != nil {
+		return fmt.Errorf("failed to import etcd CA cert into etcd-client-ca.crt: %v", err)
+	}
+
 	// generate etcd client certificate
 	cfg = &tls.CertCfg{
 		Subject:      pkix.Name{CommonName: "etcd", OrganizationalUnit: []string{"etcd"}},
@@ -124,7 +133,8 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error {
 	}
 
 	// Ingress certs
-	if copy.Copy(kubeCACertPath, ingressCACertPath); err != nil {
+	err = copy.Copy(filepath.Join(clusterDir, kubeCACertPath), filepath.Join(clusterDir, ingressCACertPath))
+	if err != nil {
 		return fmt.Errorf("failed to import kube CA cert into ingress-ca.crt: %v", err)
 	}
 
diff --git a/installer/pkg/workflow/destroy.go b/installer/pkg/workflow/destroy.go
index dbaa9b46409..a3d78b8770a 100644
--- a/installer/pkg/workflow/destroy.go
+++ b/installer/pkg/workflow/destroy.go
@@ -15,15 +15,10 @@ func DestroyWorkflow(clusterDir string) Workflow {
 			destroyTNCDNSStep,
 			destroyTopologyStep,
 			destroyAssetsStep,
-			destroyTLSAssetsStep,
 		},
 	}
 }
 
-func destroyTLSAssetsStep(m *metadata) error {
-	return runDestroyStep(m, tlsStep)
-}
-
 func destroyAssetsStep(m *metadata) error {
 	return runDestroyStep(m, assetsStep)
 }
diff --git a/installer/pkg/workflow/init.go b/installer/pkg/workflow/init.go
index 35603f2f3a2..fe0a5c0571a 100644
--- a/installer/pkg/workflow/init.go
+++ b/installer/pkg/workflow/init.go
@@ -21,7 +21,7 @@ const (
 	kubeSystemPath             = "generated/manifests"
 	kubeSystemFileName         = "cluster-config.yaml"
 	tectonicSystemPath         = "generated/tectonic"
-	newTLSPath                 = "generated/newTLS"
+	tlsPath                    = "generated/tls"
 	tectonicSystemFileName     = "cluster-config.yaml"
 	terraformVariablesFileName = "terraform.tfvars"
 )
diff --git a/installer/pkg/workflow/install.go b/installer/pkg/workflow/install.go
index 5d3f9903c98..10dad1438ca 100644
--- a/installer/pkg/workflow/install.go
+++ b/installer/pkg/workflow/install.go
@@ -17,7 +17,7 @@ func InstallFullWorkflow(clusterDir string) Workflow {
 			refreshConfigStep,
 			generateClusterConfigMaps,
 			readClusterConfigStep,
-			installTLSAssetsStep,
+			generateTLSConfigStep,
 			generateClusterConfigMaps,
 			installAssetsStep,
 			generateIgnConfigStep,
@@ -44,18 +44,6 @@ func InstallTLSNewWorkflow(clusterDir string) Workflow {
 	}
 }
 
-// InstallTLSWorkflow creates the TLS assets, previously created by the
-// "assets" step
-func InstallTLSWorkflow(clusterDir string) Workflow {
-	return Workflow{
-		metadata: metadata{clusterDir: clusterDir},
-		steps: []Step{
-			refreshConfigStep,
-			installTLSAssetsStep,
-		},
-	}
-}
-
 // InstallAssetsWorkflow creates new instances of the 'assets' workflow,
 // responsible for running the actions necessary to generate cluster assets.
 func InstallAssetsWorkflow(clusterDir string) Workflow {
@@ -106,11 +94,6 @@ func refreshConfigStep(m *metadata) error {
 	return generateTerraformVariablesStep(m)
 }
 
-func installTLSAssetsStep(m *metadata) error {
-	return runInstallStep(m, tlsStep)
-
-}
-
 func installAssetsStep(m *metadata) error {
 	return runInstallStep(m, assetsStep)
 }
@@ -166,8 +149,8 @@ func generateIgnConfigStep(m *metadata) error {
 }
 
 func generateTLSConfigStep(m *metadata) error {
-	if err := os.MkdirAll(filepath.Join(m.clusterDir, newTLSPath), os.ModeDir|0755); err != nil {
-		return fmt.Errorf("failed to create TLS directory at %s", newTLSPath)
+	if err := os.MkdirAll(filepath.Join(m.clusterDir, tlsPath), os.ModeDir|0755); err != nil {
+		return fmt.Errorf("failed to create TLS directory at %s", tlsPath)
 	}
 
 	c := configgenerator.New(m.cluster)
diff --git a/installer/pkg/workflow/utils.go b/installer/pkg/workflow/utils.go
index ec4b7d739f6..b52a32d0124 100644
--- a/installer/pkg/workflow/utils.go
+++ b/installer/pkg/workflow/utils.go
@@ -22,9 +22,8 @@ const (
 	internalFileName = "internal.yaml"
 	joinWorkersStep  = "joining_workers"
 	mastersStep      = "masters"
-	newTLSStep       = "newtls"
+	newTLSStep       = "tls"
 	stepsBaseDir     = "steps"
-	tlsStep          = "tls"
 	tncDNSStep       = "tnc_dns"
 	topologyStep     = "topology"
 )