diff --git a/roles/vault/tasks/bootstrap/main.yml b/roles/vault/tasks/bootstrap/main.yml
index fdecbdd2a..7ca82a9c4 100644
--- a/roles/vault/tasks/bootstrap/main.yml
+++ b/roles/vault/tasks/bootstrap/main.yml
@@ -57,6 +57,7 @@
     gen_ca_mount_path: "{{ vault_pki_mounts.etcd.name }}"
     gen_ca_vault_headers: "{{ vault_headers }}"
     gen_ca_vault_options: "{{ vault_ca_options.etcd }}"
+    gen_ca_copy_group: "etcd"
   when: inventory_hostname in groups.etcd and vault_etcd_ca_cert_needed
 
 - import_tasks: gen_vault_certs.yml
diff --git a/roles/vault/tasks/cluster/main.yml b/roles/vault/tasks/cluster/main.yml
index d904c2398..65b9dae9b 100644
--- a/roles/vault/tasks/cluster/main.yml
+++ b/roles/vault/tasks/cluster/main.yml
@@ -32,6 +32,7 @@
     gen_ca_mount_path: "{{ vault_pki_mounts.kube.name }}"
     gen_ca_vault_headers: "{{ vault_headers }}"
     gen_ca_vault_options: "{{ vault_ca_options.kube }}"
+    gen_ca_copy_group: "kube-master"
   when: inventory_hostname in groups.vault
 
 - include_tasks: ../shared/auth_backend.yml
diff --git a/roles/vault/tasks/shared/gen_ca.yml b/roles/vault/tasks/shared/gen_ca.yml
index 654cc3ff3..77f2f82b9 100644
--- a/roles/vault/tasks/shared/gen_ca.yml
+++ b/roles/vault/tasks/shared/gen_ca.yml
@@ -24,9 +24,12 @@
     mode: 0644
   when: vault_ca_gen.status == 200
 
-- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key locally"
+
+- name: "bootstrap/gen_ca | Copy {{ gen_ca_mount_path }} root CA key to necessary hosts"
   copy:
     content: "{{ hostvars[groups.vault|first]['vault_ca_gen']['json']['data']['private_key'] }}"
     dest: "{{ gen_ca_cert_dir }}/ca-key.pem"
     mode: 0640
   when: vault_ca_gen.status == 200
+  delegate_to: "{{ item }}"
+  with_items: "{{ (groups[gen_ca_copy_group|default('vault')]) | union(groups['vault']) }}"