diff --git a/ansible/roles/kubernetes-master/defaults/main.yml b/ansible/roles/kubernetes-master/defaults/main.yml
index d178a07..a192850 100644
--- a/ansible/roles/kubernetes-master/defaults/main.yml
+++ b/ansible/roles/kubernetes-master/defaults/main.yml
@@ -8,3 +8,6 @@ kubernetes_master_kubeadm_config:
   apiServerCertSANs: "{{ kubernetes_common_api_ip | kube_lookup_hostname(kubernetes_common_api_fqdn, True) }}"
   etcd:
     endpoints: "{{ etcd_client_endpoints }}"
+    caFile: "/etc/kubernetes/pki/etcd/ca.crt"
+    certFile: "/etc/kubernetes/pki/apiserver-etcd-client.crt"
+    keyFile: "/etc/kubernetes/pki/apiserver-etcd-client.key"
diff --git a/ansible/roles/kubernetes-master/tasks/main.yml b/ansible/roles/kubernetes-master/tasks/main.yml
index e6c8914..4742f8a 100644
--- a/ansible/roles/kubernetes-master/tasks/main.yml
+++ b/ansible/roles/kubernetes-master/tasks/main.yml
@@ -4,6 +4,33 @@
     path: /etc/kubernetes/manifests/kube-apiserver.yaml
   register: kubeadm_apiserver_manifest
 
+- name: create kubernetes pki directory
+  file:
+    dest: /etc/kubernetes/pki/etcd
+    state: directory
+    owner: root
+    group: root
+
+- name: slurp the etcd pki assets destined for the masters
+  slurp: src=/etc/kubernetes/pki/{{ item }}
+  with_items:
+    - apiserver-etcd-client.crt
+    - apiserver-etcd-client.key
+    - etcd/ca.crt
+  register: etcd_ca_pki
+  delegate_to: "{{ groups['etcd']|first }}"
+  run_once: true
+
+- name: add etcd pki assets
+  no_log: True
+  copy:
+    dest: "{{ item.source }}"
+    content: "{{ item.content | b64decode }}"
+    owner: root
+    group: root
+    mode: 0700
+  with_items: "{{ etcd_ca_pki.results }}"
+
 - name: drop kubeadm template
   template:
     src: etc/kubernetes/kubeadm.conf