diff --git a/pkg/apis/kops/keyset.go b/pkg/apis/kops/keyset.go
index 459f6901bc..61f6d49379 100644
--- a/pkg/apis/kops/keyset.go
+++ b/pkg/apis/kops/keyset.go
@@ -67,6 +67,9 @@ type KeysetSpec struct {
 	// Type is the type of the Keyset (PKI keypair, or secret token)
 	Type KeysetType `json:"type,omitempty"`
 
+	// PrimaryId is the id of the key used to mint new things.
+	PrimaryId string `json:"primaryId,omitempty"`
+
 	// Keys is the set of keys that make up the keyset
 	Keys []KeysetItem `json:"keys,omitempty"`
 }
diff --git a/pkg/apis/kops/v1alpha2/keyset.go b/pkg/apis/kops/v1alpha2/keyset.go
index 1bbb4aba75..942ed5117e 100644
--- a/pkg/apis/kops/v1alpha2/keyset.go
+++ b/pkg/apis/kops/v1alpha2/keyset.go
@@ -68,6 +68,9 @@ type KeysetSpec struct {
 	// Type is the type of the Keyset (PKI keypair, or secret token)
 	Type KeysetType `json:"type,omitempty"`
 
+	// PrimaryId is the id of the key used to mint new things.
+	PrimaryId string `json:"primaryId,omitempty"`
+
 	// Keys is the set of keys that make up the keyset
 	Keys []KeysetItem `json:"keys,omitempty"`
 }
diff --git a/upup/pkg/fi/ca.go b/upup/pkg/fi/ca.go
index 4b9402feb7..5490df0d2a 100644
--- a/upup/pkg/fi/ca.go
+++ b/upup/pkg/fi/ca.go
@@ -52,7 +52,7 @@ type Keystore interface {
 	// task to convert a Legacy Keypair to the new Keypair API format.
 	FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, bool, error)
 
-	// StoreKeypair writes the keypair to the store
+	// StoreKeypair writes the keypair to the store, making it the primary.
 	StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error
 
 	// MirrorTo will copy secrets to a vfs.Path, which is often easier for a machine to read
diff --git a/upup/pkg/fi/clientset_castore.go b/upup/pkg/fi/clientset_castore.go
index 3bac591722..d844d1b2aa 100644
--- a/upup/pkg/fi/clientset_castore.go
+++ b/upup/pkg/fi/clientset_castore.go
@@ -110,7 +110,7 @@ func parseKeyset(o *kops.Keyset) (*keyset, error) {
 		keyset.items[key.Id] = ki
 	}
 
-	keyset.primary = keyset.findPrimary()
+	keyset.primary = keyset.items[FindPrimary(o).Id]
 
 	return keyset, nil
 }
@@ -132,30 +132,13 @@ func (c *ClientsetCAStore) loadKeyset(ctx context.Context, name string) (*keyset
 	return keyset, nil
 }
 
-// findPrimary returns the primary keysetItem in the keyset
-func (k *keyset) findPrimary() *keysetItem {
-	var primary *keysetItem
-	var primaryVersion *big.Int
-
-	for _, item := range k.items {
-		version, ok := big.NewInt(0).SetString(item.id, 10)
-		if !ok {
-			klog.Warningf("Ignoring key item with non-integer version: %q", item.id)
-			continue
-		}
-
-		if primaryVersion == nil || version.Cmp(primaryVersion) > 0 {
-			primary = item
-			primaryVersion = version
-		}
-	}
-	return primary
-}
-
 // FindPrimary returns the primary KeysetItem in the Keyset
 func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
 	var primary *kops.KeysetItem
 	var primaryVersion *big.Int
+
+	primaryId := keyset.Spec.PrimaryId
+
 	for i := range keyset.Spec.Keys {
 		item := &keyset.Spec.Keys[i]
 		version, ok := big.NewInt(0).SetString(item.Id, 10)
@@ -164,6 +147,10 @@ func FindPrimary(keyset *kops.Keyset) *kops.KeysetItem {
 			continue
 		}
 
+		if item.Id == primaryId {
+			return item
+		}
+
 		if primaryVersion == nil || version.Cmp(primaryVersion) > 0 {
 			primary = item
 			primaryVersion = version
diff --git a/upup/pkg/fi/vfs_castore.go b/upup/pkg/fi/vfs_castore.go
index 1f3e8aa430..000c302a42 100644
--- a/upup/pkg/fi/vfs_castore.go
+++ b/upup/pkg/fi/vfs_castore.go
@@ -162,6 +162,9 @@ func (k *keyset) ToAPIObject(name string, includePrivateKeyMaterial bool) (*kops
 
 		o.Spec.Keys = append(o.Spec.Keys, oki)
 	}
+	if k.primary != nil {
+		o.Spec.PrimaryId = k.primary.id
+	}
 	return o, nil
 }
 
@@ -660,6 +663,7 @@ func (c *VFSCAStore) storePrivateKey(name string, ki *keysetItem) error {
 			ks.items = make(map[string]*keysetItem)
 		}
 		ks.items[ki.id] = ki
+		ks.primary = ki
 
 		if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
 			return fmt.Errorf("error writing bundle: %v", err)
@@ -703,6 +707,7 @@ func (c *VFSCAStore) storeCertificate(name string, ki *keysetItem) error {
 			ks.items = make(map[string]*keysetItem)
 		}
 		ks.items[ki.id] = ki
+		ks.primary = ki
 
 		if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
 			return fmt.Errorf("error writing bundle: %v", err)
@@ -748,6 +753,9 @@ func (c *VFSCAStore) deletePrivateKey(name string, id string) (bool, error) {
 			return false, nil
 		}
 		delete(ks.items, id)
+		if ks.primary != nil && ks.primary.id == id {
+			ks.primary = nil
+		}
 
 		if err := c.writeKeysetBundle(p, name, ks, true); err != nil {
 			return false, fmt.Errorf("error writing bundle: %v", err)
@@ -778,6 +786,9 @@ func (c *VFSCAStore) deleteCertificate(name string, id string) (bool, error) {
 			return false, nil
 		}
 		delete(ks.items, id)
+		if ks.primary != nil && ks.primary.id == id {
+			ks.primary = nil
+		}
 
 		if err := c.writeKeysetBundle(p, name, ks, false); err != nil {
 			return false, fmt.Errorf("error writing bundle: %v", err)