diff --git a/pkg/cmd/init.go b/pkg/cmd/init.go
index 51f75cc173..ca9e44de80 100644
--- a/pkg/cmd/init.go
+++ b/pkg/cmd/init.go
@@ -343,8 +343,11 @@ func certSetup(cfg *config.MicroshiftConfig) (*certchains.CertificateChains, err
 		return nil, err
 	}
 
-	if err := util.GenKeys(filepath.Join(microshiftDataDir, "/resources/kube-apiserver/secrets/service-account-key"),
-		"service-account.crt", "service-account.key"); err != nil {
+	saKeyDir := filepath.Join(microshiftDataDir, "/resources/kube-apiserver/secrets/service-account-key")
+	if err := util.EnsureKeyPair(
+		filepath.Join(saKeyDir, "service-account.pub"),
+		filepath.Join(saKeyDir, "service-account.key"),
+	); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/controllers/kube-apiserver.go b/pkg/controllers/kube-apiserver.go
index 194b7c8bf9..cef25e22be 100644
--- a/pkg/controllers/kube-apiserver.go
+++ b/pkg/controllers/kube-apiserver.go
@@ -205,7 +205,7 @@ func (s *KubeAPIServer) configure(cfg *config.MicroshiftConfig) error {
 			},
 		},
 		ServiceAccountPublicKeyFiles: []string{
-			microshiftDataDir + "/resources/kube-apiserver/secrets/service-account-key/service-account.crt",
+			microshiftDataDir + "/resources/kube-apiserver/secrets/service-account-key/service-account.pub",
 		},
 		ServicesSubnet:        cfg.Cluster.ServiceCIDR,
 		ServicesNodePortRange: cfg.Cluster.ServiceNodePortRange,
diff --git a/pkg/util/cert.go b/pkg/util/cert.go
index 4c8a8829e4..c4821ec1af 100644
--- a/pkg/util/cert.go
+++ b/pkg/util/cert.go
@@ -22,7 +22,6 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io/ioutil"
-	"path/filepath"
 	"time"
 
 	"github.com/pkg/errors"
@@ -41,8 +40,16 @@ const (
 	ValidityTenYears = 10 * ValidityOneYear
 )
 
+func EnsureKeyPair(pubKeyPath, privKeyPath string) error {
+	if _, err := getKeyPair(pubKeyPath, privKeyPath); err == nil {
+		return nil
+	}
+
+	return GenKeys(pubKeyPath, privKeyPath)
+}
+
 // GenKeys generates and save rsa keys
-func GenKeys(dir, pubFilename, keyFilename string) error {
+func GenKeys(pubPath, keyPath string) error {
 	rsaKey, err := rsa.GenerateKey(rand.Reader, keySize)
 	if err != nil {
 		return errors.Wrap(err, "error generating RSA private key")
@@ -58,9 +65,6 @@ func GenKeys(dir, pubFilename, keyFilename string) error {
 		return err
 	}
 
-	keyPath := filepath.Join(dir, keyFilename)
-	pubPath := filepath.Join(dir, pubFilename)
-
 	if err := keyutil.WriteKey(keyPath, keyPEM); err != nil {
 		return fmt.Errorf("failed to write the private key to %s: %v", keyPath, err)
 	}
@@ -84,3 +88,29 @@ func PublicKeyToPem(key *rsa.PublicKey) ([]byte, error) {
 	)
 	return keyinPem, nil
 }
+
+func getKeyPair(pubKeyPath, privKeyPath string) (*rsa.PrivateKey, error) {
+	pubKeys, err := keyutil.PublicKeysFromFile(pubKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read public key: %w", err)
+	}
+	if len(pubKeys) > 1 {
+		return nil, fmt.Errorf("too many pub keys in file %s", pubKeyPath)
+	}
+
+	privKey, err := keyutil.PrivateKeyFromFile(privKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read private key: %w", err)
+	}
+
+	rsaPrivKey, ok := privKey.(*rsa.PrivateKey)
+	if !ok {
+		return nil, fmt.Errorf("only RSA private keys are currently supported")
+	}
+
+	if !rsaPrivKey.PublicKey.Equal(pubKeys[0].(*rsa.PublicKey)) {
+		return nil, fmt.Errorf("public and private keys don't match")
+	}
+
+	return rsaPrivKey, nil
+}