diff --git a/nodeup/pkg/model/kubelet_test.go b/nodeup/pkg/model/kubelet_test.go
index 06cc956f9e..7dbe2b297c 100644
--- a/nodeup/pkg/model/kubelet_test.go
+++ b/nodeup/pkg/model/kubelet_test.go
@@ -283,7 +283,7 @@ func RunGoldenTest(t *testing.T, basedir string, key string, builder func(*Nodeu
 		"kube-controller-manager": mustParsePrivateKey(dummyKey),
 		"kube-proxy":              mustParsePrivateKey(dummyKey),
 		"kube-scheduler":          mustParsePrivateKey(dummyKey),
-		"master":                  mustParsePrivateKey(dummyKey),
+		"service-account":         mustParsePrivateKey(dummyKey),
 	}
 	keystore.certs = map[string]*pki.Certificate{
 		"ca":                      mustParseCertificate(dummyCertificate),
diff --git a/nodeup/pkg/model/secrets.go b/nodeup/pkg/model/secrets.go
index 3c46014efa..856a368f8c 100644
--- a/nodeup/pkg/model/secrets.go
+++ b/nodeup/pkg/model/secrets.go
@@ -146,7 +146,7 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}
 
-	if err := b.BuildPrivateKeyTask(c, "master", "service-account.key", nil); err != nil {
+	if err := b.BuildPrivateKeyTask(c, "service-account", "service-account.key", nil); err != nil {
 		return err
 	}
 
diff --git a/pkg/model/pki.go b/pkg/model/pki.go
index bfa5c5cdaf..63823e2b45 100644
--- a/pkg/model/pki.go
+++ b/pkg/model/pki.go
@@ -163,8 +163,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	{
 		serviceAccount := &fitasks.Keypair{
 			// We only need the private key, but it's easier to create a certificate as well.
-			// The strange name is because Kops prior to 1.19 used the api-server TLS key for this.
-			Name:      fi.String("master"),
+			Name:      fi.String("service-account"),
 			Lifecycle: b.Lifecycle,
 			Subject:   "cn=service-account",
 			Type:      "ca",
diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go
index 7d16c9b6f5..61b82642f1 100644
--- a/upup/pkg/fi/vfs_castore.go
+++ b/upup/pkg/fi/vfs_castore.go
@@ -256,6 +256,14 @@ func (c *VFSCAStore) loadOneCertificate(p vfs.Path) (*pki.Certificate, error) {
 
 func (c *VFSCAStore) FindKeypair(id string) (*pki.Certificate, *pki.PrivateKey, bool, error) {
 	cert, legacyFormat, err := c.findCert(id)
+
+	if os.IsNotExist(err) && id == "service-account" {
+		// The strange name is because Kops prior to 1.19 used the api-server TLS key for this.
+		id = "master"
+		cert, _, err = c.findCert(id)
+		legacyFormat = true
+	}
+
 	if err != nil {
 		return nil, nil, false, err
 	}