diff --git a/upup/pkg/fi/fitasks/keypair.go b/upup/pkg/fi/fitasks/keypair.go
index b1aa7aa9a0..80f56b076e 100644
--- a/upup/pkg/fi/fitasks/keypair.go
+++ b/upup/pkg/fi/fitasks/keypair.go
@@ -165,7 +165,7 @@ func (_ *Keypair) Render(c *fi.Context, a, e, changes *Keypair) error {
 		} else if changes.Type != "" {
 			createCertificate = true
 			klog.Infof("creating certificate %q as Type has changed (actual=%v, expected=%v)", name, a.Type, e.Type)
-		} else if changes.LegacyFormat {
+		} else if a.LegacyFormat {
 			changeStoredFormat = true
 		} else {
 			klog.Warningf("Ignoring changes in key: %v", fi.DebugAsJsonString(changes))
diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go
index 61b82642f1..a281063e85 100644
--- a/upup/pkg/fi/vfs_castore.go
+++ b/upup/pkg/fi/vfs_castore.go
@@ -257,7 +257,7 @@ func (c *VFSCAStore) loadOneCertificate(p vfs.Path) (*pki.Certificate, error) {
 func (c *VFSCAStore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, bool, error) {
 	cert, legacyFormat, err := c.findCert(id)
 
-	if os.IsNotExist(err) && id == "service-account" {
+	if (cert == nil || os.IsNotExist(err)) && id == "service-account" {
 		// The strange name is because Kops prior to 1.19 used the api-server TLS key for this.
 		id = "master"
 		cert, _, err = c.findCert(id)