diff --git a/installer/pkg/config-generator/tls.go b/installer/pkg/config-generator/tls.go
index f644a366741..da0816be424 100644
--- a/installer/pkg/config-generator/tls.go
+++ b/installer/pkg/config-generator/tls.go
@@ -36,6 +36,8 @@ const (
 	kubeCAKeyPath            = "generated/tls/kube-ca.key"
 	kubeletCertPath          = "generated/tls/kubelet.crt"
 	kubeletKeyPath           = "generated/tls/kubelet.key"
+	clusterAPIServerCertPath = "generated/tls/cluster-apiserver-ca.crt"
+	clusterAPIServerKeyPath  = "generated/tls/cluster-apiserver-ca.key"
 	osAPIServerCertPath      = "generated/tls/openshift-apiserver.crt"
 	osAPIServerKeyPath       = "generated/tls/openshift-apiserver.key"
 	rootCACertPath           = "generated/tls/root-ca.crt"
@@ -253,6 +255,18 @@ func (c *ConfigGenerator) GenerateTLSConfig(clusterDir string) error {
 	if _, _, err := generateCert(clusterDir, caKey, caCert, tncKeyPath, tncCertPath, cfg, false); err != nil {
 		return fmt.Errorf("failed to generate tnc certificate: %v", err)
 	}
+
+	// Cluster API cert
+	cfg = &tls.CertCfg{
+		Subject:   pkix.Name{CommonName: "cluster-apiserver", OrganizationalUnit: []string{"bootkube"}},
+		KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		Validity:  validityTenYears,
+		IsCA:      true,
+	}
+	if _, _, err := generateCert(clusterDir, aggregatorCAKey, aggregatorCACert, clusterAPIServerKeyPath, clusterAPIServerCertPath, cfg, true); err != nil {
+		return fmt.Errorf("failed to generate cluster-apiserver CA: %v", err)
+	}
+
 	return nil
 }
 
diff --git a/modules/bootkube/manifests.tf b/modules/bootkube/manifests.tf
index e196bdddb60..52021081649 100644
--- a/modules/bootkube/manifests.tf
+++ b/modules/bootkube/manifests.tf
@@ -11,6 +11,7 @@ variable "manifest_names" {
     "kube-controller-manager-secret.yaml",
     "node-config-kind.yaml",
     "openshift-apiserver-secret.yaml",
+    "cluster-apiserver-secret.yaml",
     "pull.json",
     "tectonic-network-operator.yaml",
     "tectonic-node-controller-operator.yaml",
@@ -42,6 +43,8 @@ data "template_file" "manifest_file_list" {
     openshift_apiserver_cert = "${base64encode(var.openshift_apiserver_cert_pem)}"
     apiserver_proxy_key      = "${base64encode(var.apiserver_proxy_key_pem)}"
     apiserver_proxy_cert     = "${base64encode(var.apiserver_proxy_cert_pem)}"
+    clusterapi_ca_cert       = "${base64encode(var.clusterapi_ca_cert_pem)}"
+    clusterapi_ca_key        = "${base64encode(var.clusterapi_ca_key_pem)}"
     oidc_ca_cert             = "${base64encode(var.oidc_ca_cert)}"
     pull_secret              = "${base64encode(file(var.pull_secret_path))}"
     serviceaccount_pub       = "${base64encode(tls_private_key.service_account.public_key_pem)}"
diff --git a/modules/bootkube/resources/manifests/cluster-apiserver-secret.yaml b/modules/bootkube/resources/manifests/cluster-apiserver-secret.yaml
new file mode 100644
index 00000000000..d019b3b0028
--- /dev/null
+++ b/modules/bootkube/resources/manifests/cluster-apiserver-secret.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/tls
+metadata:
+  name: cluster-apiserver-certs
+  namespace: default
+  labels:
+    api: clusterapi
+    apiserver: "true"
+data:
+  tls.crt: ${clusterapi_ca_cert}
+  tls.key: ${clusterapi_ca_key}
diff --git a/modules/bootkube/variables.tf b/modules/bootkube/variables.tf
index 6aba3969555..35ad4242325 100644
--- a/modules/bootkube/variables.tf
+++ b/modules/bootkube/variables.tf
@@ -135,6 +135,14 @@ variable "oidc_ca_cert" {
   type = "string"
 }
 
+variable "clusterapi_ca_cert_pem" {
+  type = "string"
+}
+
+variable "clusterapi_ca_key_pem" {
+  type = "string"
+}
+
 variable "service_cidr" {
   description = "A CIDR notation IP range from which to assign service cluster IPs"
   type        = "string"
diff --git a/steps/assets/base/ignition-tls.tf b/steps/assets/base/ignition-tls.tf
index 9115c422a2a..c6105216c80 100644
--- a/steps/assets/base/ignition-tls.tf
+++ b/steps/assets/base/ignition-tls.tf
@@ -75,6 +75,28 @@ data "ignition_file" "service_serving_ca_cert" {
   path = "/opt/tectonic/tls/service-serving-ca.crt"
 }
 
+data "ignition_file" "clusterapi_ca_key" {
+  filesystem = "root"
+  mode       = "0600"
+
+  content {
+    content = "${local.clusterapi_ca_key_pem}"
+  }
+
+  path = "/opt/tectonic/tls/cluster-apiserver-ca.key"
+}
+
+data "ignition_file" "clusterapi_ca_cert" {
+  filesystem = "root"
+  mode       = "0644"
+
+  content {
+    content = "${local.clusterapi_ca_cert_pem}"
+  }
+
+  path = "/opt/tectonic/tls/cluster-apiserver-ca.crt"
+}
+
 data "ignition_file" "etcd_ca_key" {
   filesystem = "root"
   mode       = "0600"
@@ -264,6 +286,8 @@ locals {
     "${data.ignition_file.service_serving_ca_cert.id}",
     "${data.ignition_file.etcd_ca_key.id}",
     "${data.ignition_file.etcd_ca_cert.id}",
+    "${data.ignition_file.clusterapi_ca_key.id}",
+    "${data.ignition_file.clusterapi_ca_cert.id}",
   ]
 
   etcd_certs_ignition_file_id_list = [
diff --git a/steps/assets/base/inputs.tf b/steps/assets/base/inputs.tf
index 5521df3b38a..6c41e6a8d7e 100644
--- a/steps/assets/base/inputs.tf
+++ b/steps/assets/base/inputs.tf
@@ -1,17 +1,14 @@
 locals {
-  tls_path                     = "${path.cwd}/generated/tls"
   admin_cert_pem               = "${file("${local.tls_path}/admin.crt")}"
   admin_key_pem                = "${file("${local.tls_path}/admin.key")}"
   aggregator_ca_cert_pem       = "${file("${local.tls_path}/aggregator-ca.crt")}"
   aggregator_ca_key_pem        = "${file("${local.tls_path}/aggregator-ca.key")}"
-  service_serving_ca_cert_pem  = "${file("${local.tls_path}/service-serving-ca.crt")}"
-  service_serving_ca_key_pem   = "${file("${local.tls_path}/service-serving-ca.key")}"
   apiserver_cert_pem           = "${file("${local.tls_path}/apiserver.crt")}"
   apiserver_key_pem            = "${file("${local.tls_path}/apiserver.key")}"
-  openshift_apiserver_cert_pem = "${file("${local.tls_path}/openshift-apiserver.crt")}"
-  openshift_apiserver_key_pem  = "${file("${local.tls_path}/openshift-apiserver.key")}"
   apiserver_proxy_cert_pem     = "${file("${local.tls_path}/apiserver-proxy.crt")}"
   apiserver_proxy_key_pem      = "${file("${local.tls_path}/apiserver-proxy.key")}"
+  clusterapi_ca_cert_pem       = "${file("${local.tls_path}/cluster-apiserver-ca.crt")}"
+  clusterapi_ca_key_pem        = "${file("${local.tls_path}/cluster-apiserver-ca.key")}"
   etcd_ca_cert_pem             = "${file("${local.tls_path}/etcd-client-ca.crt")}"
   etcd_ca_key_pem              = "${file("${local.tls_path}/etcd-client-ca.key")}"
   etcd_client_cert_pem         = "${file("${local.tls_path}/etcd-client.crt")}"
@@ -23,8 +20,13 @@ locals {
   kube_ca_key_pem              = "${file("${local.tls_path}/kube-ca.key")}"
   kubelet_cert_pem             = "${file("${local.tls_path}/kubelet.crt")}"
   kubelet_key_pem              = "${file("${local.tls_path}/kubelet.key")}"
-  tnc_cert_pem                 = "${file("${local.tls_path}/tnc.crt")}"
-  tnc_key_pem                  = "${file("${local.tls_path}/tnc.key")}"
   oidc_ca_cert                 = "${file("${local.tls_path}/ingress-ca.crt")}"
+  openshift_apiserver_cert_pem = "${file("${local.tls_path}/openshift-apiserver.crt")}"
+  openshift_apiserver_key_pem  = "${file("${local.tls_path}/openshift-apiserver.key")}"
   root_ca_cert_pem             = "${file("${local.tls_path}/root-ca.crt")}"
+  service_serving_ca_cert_pem  = "${file("${local.tls_path}/service-serving-ca.crt")}"
+  service_serving_ca_key_pem   = "${file("${local.tls_path}/service-serving-ca.key")}"
+  tls_path                     = "${path.cwd}/generated/tls"
+  tnc_cert_pem                 = "${file("${local.tls_path}/tnc.crt")}"
+  tnc_key_pem                  = "${file("${local.tls_path}/tnc.key")}"
 }
diff --git a/steps/assets/base/tectonic.tf b/steps/assets/base/tectonic.tf
index 01b744fa85e..dca6accd5ca 100644
--- a/steps/assets/base/tectonic.tf
+++ b/steps/assets/base/tectonic.tf
@@ -25,12 +25,8 @@ module "bootkube" {
   admin_key_pem                = "${local.admin_key_pem}"
   aggregator_ca_cert_pem       = "${local.aggregator_ca_cert_pem}"
   aggregator_ca_key_pem        = "${local.aggregator_ca_key_pem}"
-  service_serving_ca_cert_pem  = "${local.service_serving_ca_cert_pem}"
-  service_serving_ca_key_pem   = "${local.service_serving_ca_key_pem}"
   apiserver_cert_pem           = "${local.apiserver_cert_pem}"
   apiserver_key_pem            = "${local.apiserver_key_pem}"
-  openshift_apiserver_cert_pem = "${local.openshift_apiserver_cert_pem}"
-  openshift_apiserver_key_pem  = "${local.openshift_apiserver_key_pem}"
   apiserver_proxy_cert_pem     = "${local.apiserver_proxy_cert_pem}"
   apiserver_proxy_key_pem      = "${local.apiserver_proxy_key_pem}"
   etcd_ca_cert_pem             = "${local.etcd_ca_cert_pem}"
@@ -40,10 +36,16 @@ module "bootkube" {
   kube_ca_key_pem              = "${local.kube_ca_key_pem}"
   kubelet_cert_pem             = "${local.kubelet_cert_pem}"
   kubelet_key_pem              = "${local.kubelet_key_pem}"
-  tnc_cert_pem                 = "${local.tnc_cert_pem}"
-  tnc_key_pem                  = "${local.tnc_key_pem}"
+  clusterapi_ca_cert_pem       = "${local.clusterapi_ca_cert_pem}"
+  clusterapi_ca_key_pem        = "${local.clusterapi_ca_key_pem}"
   oidc_ca_cert                 = "${local.oidc_ca_cert}"
+  openshift_apiserver_cert_pem = "${local.openshift_apiserver_cert_pem}"
+  openshift_apiserver_key_pem  = "${local.openshift_apiserver_key_pem}"
   root_ca_cert_pem             = "${local.root_ca_cert_pem}"
+  service_serving_ca_cert_pem  = "${local.service_serving_ca_cert_pem}"
+  service_serving_ca_key_pem   = "${local.service_serving_ca_key_pem}"
+  tnc_cert_pem                 = "${local.tnc_cert_pem}"
+  tnc_key_pem                  = "${local.tnc_key_pem}"
 
   etcd_endpoints = "${data.template_file.etcd_hostname_list.*.rendered}"
 }