diff --git a/roles/download/tasks/kubeadm_images.yml b/roles/download/tasks/kubeadm_images.yml
index 4ed068b91..6492151d1 100644
--- a/roles/download/tasks/kubeadm_images.yml
+++ b/roles/download/tasks/kubeadm_images.yml
@@ -1,3 +1,4 @@
+---
 - name: kubeadm | Create kubeadm config
   template:
     src: "kubeadm-images.yaml.j2"
diff --git a/roles/kubernetes/master/tasks/kubeadm-certificate.yml b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
new file mode 100644
index 000000000..a2ce2d676
--- /dev/null
+++ b/roles/kubernetes/master/tasks/kubeadm-certificate.yml
@@ -0,0 +1,42 @@
+---
+- name: Backup old certs and keys
+  copy:
+    src: "{{ kube_cert_dir }}/{{ item.src }}"
+    dest: "{{ kube_cert_dir }}/{{ item.dest }}"
+    remote_src: yes
+  with_items:
+    - {src: apiserver.crt, dest: apiserver.crt.old}
+    - {src: apiserver.key, dest: apiserver.key.old}
+    - {src: apiserver-kubelet-client.crt, dest: apiserver-kubelet-client.crt.old}
+    - {src: apiserver-kubelet-client.key, dest: apiserver-kubelet-client.key.old}
+    - {src: front-proxy-client.crt, dest: front-proxy-client.crt.old}
+    - {src: front-proxy-client.key, dest: front-proxy-client.key.old}
+  ignore_errors: yes
+
+- name: Remove old certs and keys
+  file:
+    path: "{{ kube_cert_dir }}/{{ item }}"
+    state: absent
+  with_items:
+    - apiserver.crt
+    - apiserver.key
+    - apiserver-kubelet-client.crt
+    - apiserver-kubelet-client.key
+    - front-proxy-client.crt
+    - front-proxy-client.key
+
+- name: Generate new certs and keys
+  command: "{{ bin_dir }}/kubeadm init phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  with_items:
+    - apiserver
+    - apiserver-kubelet-client
+    - front-proxy-client
+  when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '>=')
+
+- name: Generate new certs and keys
+  command: "{{ bin_dir }}/kubeadm alpha phase certs {{ item }} --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  with_items:
+    - apiserver
+    - apiserver-kubelet-client
+    - front-proxy-client
+  when: inventory_hostname == groups['kube-master']|first and kubeadm_version is version('v1.13.0', '<')
diff --git a/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml b/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml
new file mode 100644
index 000000000..5e48773e6
--- /dev/null
+++ b/roles/kubernetes/master/tasks/kubeadm-kubeconfig.yml
@@ -0,0 +1,32 @@
+---
+- name: Backup old configuration files
+  copy:
+    src: "{{ kube_config_dir }}/{{ item.src }}"
+    dest: "{{ kube_config_dir }}/{{ item.dest }}"
+    remote_src: yes
+  with_items:
+    - {src: admin.conf, dest: admin.conf.old}
+    - {src: kubelet.conf, dest: kubelet.conf.old}
+    - {src: controller-manager.conf, dest: controller-manager.conf.old}
+    - {src: scheduler.conf, dest: scheduler.conf.old}
+  ignore_errors: yes
+
+- name: Remove old configuration files
+  file:
+    path: "{{ kube_config_dir }}/{{ item }}"
+    state: absent
+  with_items:
+    - admin.conf
+    - kubelet.conf
+    - controller-manager.conf
+    - scheduler.conf
+
+- name: Generate new configuration files
+  command: "{{ bin_dir }}/kubeadm init phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  when: kubeadm_version is version('v1.13.0', '>=')
+  ignore_errors: yes
+
+- name: Generate new configuration files
+  command: "{{ bin_dir }}/kubeadm alpha phase kubeconfig all --config={{ kube_config_dir }}/kubeadm-config.yaml"
+  when: kubeadm_version is version('v1.13.0', '<')
+  ignore_errors: yes
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index 32f170325..1b3f9d460 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -10,10 +10,10 @@
   import_tasks: kubeadm-migrate-certs.yml
   when: old_apiserver_cert.stat.exists
 
-- name: kubeadm | Check service account key
+- name: kubeadm | Check apiserver key
   stat:
-    path: "{{ kube_cert_dir }}/sa.key"
-  register: sa_key_before
+    path: "{{ kube_cert_dir }}/apiserver.key"
+  register: apiserver_key_before
   delegate_to: "{{groups['kube-master']|first}}"
   run_once: true
 
@@ -95,6 +95,12 @@
 - name: kubeadm | set kubeadm version
   import_tasks: kubeadm-version.yml
 
+- name: kubeadm | Certificate management with kubeadm
+  import_tasks: kubeadm-certificate.yml
+  when:
+    - not upgrade_cluster_setup
+    - kubeadm_already_run.stat.exists
+
 - name: kubeadm | Initialize first master
   command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
   register: kubeadm_init
@@ -136,6 +142,12 @@
   with_items: "{{ kubeadm_certs.results }}"
   when: inventory_hostname != groups['kube-master']|first
 
+- name: kubeadm | Kubeconfig management with kubeadm
+  import_tasks: kubeadm-kubeconfig.yml
+  when:
+    - not upgrade_cluster_setup
+    - kubeadm_already_run.stat.exists
+
 - name: kubeadm | Init other uninitialized masters
   command: timeout -k 600s 600s {{ bin_dir }}/kubeadm init --config={{ kube_config_dir }}/kubeadm-config.yaml --ignore-preflight-errors=all
   register: kubeadm_init
@@ -149,17 +161,17 @@
   import_tasks: kubeadm-upgrade.yml
   when: upgrade_cluster_setup
 
-- name: kubeadm | Check service account key again
+- name: kubeadm | Check apiserver key again
   stat:
-    path: "{{ kube_cert_dir }}/sa.key"
-  register: sa_key_after
+    path: "{{ kube_cert_dir }}/apiserver.key"
+  register: apiserver_key_after
   delegate_to: "{{groups['kube-master']|first}}"
   run_once: true
 
 - name: kubeadm | Set secret_changed if service account key was updated
   command: /bin/true
   notify: Master | set secret_changed
-  when: sa_key_before.stat.checksum|default("") != sa_key_after.stat.checksum
+  when: apiserver_key_before.stat.checksum|default("") != apiserver_key_after.stat.checksum
 
 - name: kubeadm | cleanup old certs if necessary
   import_tasks: kubeadm-cleanup-old-certs.yml