diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index 8a7af7321c89de7adb3c5eb85162fb929a767871..4eec915b00c23eb67da7a7c5c65a9fb6e625723c 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -27,7 +27,7 @@ func New(settings *ClusterSettings, node *NodeSettings) *Cluster {
 		node:       node,
 		networking: NewClusterNetworking(settings.Name, node.Name),
 		ml:         sml.New[HeptoMeta, HeptoState](node.Name, node.IP, node.Port, node.Anchors, settings.Key),
-		pki:        &pki.ClusterCA{},
+		pki:        pki.EmptyClusterCA(),
 		services:   NewClusterServices(),
 	}
 }
diff --git a/pkg/cluster/services.go b/pkg/cluster/services.go
index d5e5f917afb5f1def1e32815d55590e6f5228547..d3269a48bcc28c5829ff3a3698ab02d2799b7068 100644
--- a/pkg/cluster/services.go
+++ b/pkg/cluster/services.go
@@ -112,7 +112,7 @@ func (s *ClusterServices) startK8sMaster(net *ClusterNetworking, ca *pki.Cluster
 	}
 	schedulerConfig := KubeConfig{
 		URL:        fmt.Sprintf("https://[%s]:6443", net.NodeAddress.IP.String()),
-		CACert:     ca.API.CertPath(),
+		CACert:     ca.TLS.CertPath(),
 		ClientCert: certs.SchedulerAPI.CertPath(),
 		ClientKey:  certs.SchedulerAPI.KeyPath(),
 	}
diff --git a/pkg/pki/ca.go b/pkg/pki/ca.go
index 4fe3116744e0d90b4ae6945d5da9f23124c4243b..d4ad8266025d75cbb25f0431ec0f69651af0ede4 100644
--- a/pkg/pki/ca.go
+++ b/pkg/pki/ca.go
@@ -14,6 +14,7 @@ type ClusterCA struct {
 	API *pekahi.Certificate `json:"api"`
 }
 
+// Cluster CA as it is held by the master node
 func NewClusterCA(path string) (*ClusterCA, error) {
 	bundle, err := pekahi.NewFileBundle(path)
 	if err != nil {
@@ -34,7 +35,16 @@ func NewClusterCA(path string) (*ClusterCA, error) {
 	return &ClusterCA{tlsCA, kubeletCA, apiserverCA}, nil
 }
 
-// Merge PKI
+// Empty CA for receiving certificates
+func EmptyClusterCA() *ClusterCA {
+	return &ClusterCA{
+		TLS:     &pekahi.Certificate{},
+		Kubelet: &pekahi.Certificate{},
+		API:     &pekahi.Certificate{},
+	}
+}
+
+// Merge the CA
 func (n *ClusterCA) Merge(remote *ClusterCA) bool {
 	change := mergeCert(n.TLS, remote.TLS)
 	change = change || mergeCert(n.Kubelet, remote.Kubelet)
diff --git a/pkg/pki/utils.go b/pkg/pki/utils.go
index f36ed29a8db54bb4893e38ae05933bf61b255a98..7fe80b40700af873ecca6ee9ab28c757b61e9fe8 100644
--- a/pkg/pki/utils.go
+++ b/pkg/pki/utils.go
@@ -14,11 +14,6 @@ func mergeCert(local *pekahi.Certificate, remote *pekahi.Certificate) bool {
 	if remote == nil {
 		return change
 	}
-	// Create local certificate if required
-	if local == nil && remote != nil {
-		*local = pekahi.Certificate{}
-		change = true
-	}
 	// Import CSR to master for signing
 	if local.CSR == nil && remote.CSR != nil {
 		local.CSR = remote.CSR