diff --git a/pkg/cluster/services.go b/pkg/cluster/services.go
index 1ee6299ca39dfcdf4c9c621bb91d880d052c7c4a..00d21e580f8f83c51a2d70e555744c5393a4f550 100644
--- a/pkg/cluster/services.go
+++ b/pkg/cluster/services.go
@@ -56,7 +56,7 @@ func (s *ClusterServices) startK8sMaster(pki *ClusterPKI, certs *MasterCerts) {
 		"--bind-address", "::",
 		"--tls-cert-file", certs.Service.CertPath(),
 		"--tls-private-key-file", certs.Service.KeyPath(),
-		"--client-ca-file", pki.API.Path,
+		"--client-ca-file", pki.API.CertPath(),
 		"--kubelet-certificate-authority", pki.Kubelet.CertPath(),
 		"--kubelet-client-certificate", certs.Kubelet.CertPath(),
 		"--kubelet-client-key", certs.Kubelet.KeyPath(),
diff --git a/pkg/pki/io.go b/pkg/pki/io.go
index 6e72fc33c721165f047c85419581d57e2d232f2a..8bb62922cc9dc5dcea0f500fd8e87dd424c03d36 100644
--- a/pkg/pki/io.go
+++ b/pkg/pki/io.go
@@ -29,7 +29,7 @@ func (f FileIO) blockFor(t Type) *pem.Block {
 	var blockType string
 	switch t {
 	case KeyType:
-		blockType = "ECDSA PRIVATE KEY"
+		blockType = "EC PRIVATE KEY"
 	case CertType:
 		blockType = "CERTIFICATE"
 	case CSRType: