diff --git a/roles/kubernetes/secrets/tasks/check-certs.yml b/roles/kubernetes/secrets/tasks/check-certs.yml
index 110ffa8981c842a4643e51172b1ca2178a344a7a..e8d3e9e94aca038f7d801f7406d6139d1268f502 100644
--- a/roles/kubernetes/secrets/tasks/check-certs.yml
+++ b/roles/kubernetes/secrets/tasks/check-certs.yml
@@ -14,27 +14,6 @@
     gen_certs: false
     secret_changed: false
 
-- name: "Check certs | check if a cert already exists on node"
-  stat:
-    path: "{{ kube_cert_dir }}/{{ item }}"
-  register: kubecert_node
-  with_items:
-    - ca.pem
-    - apiserver.pem
-    - apiserver-key.pem
-    - kube-scheduler.pem
-    - kube-scheduler-key.pem
-    - kube-controller-manager.pem
-    - kube-controller-manager-key.pem
-    - front-proxy-client.pem
-    - front-proxy-client-key.pem
-    - admin-{{ inventory_hostname }}.pem
-    - admin-{{ inventory_hostname }}-key.pem
-    - node-{{ inventory_hostname }}.pem
-    - node-{{ inventory_hostname }}-key.pem
-    - kube-proxy-{{ inventory_hostname }}.pem
-    - kube-proxy-{{ inventory_hostname }}-key.pem
-
 - name: "Check_certs | Set 'gen_certs' to true"
   set_fact:
     gen_certs: true
@@ -85,7 +64,6 @@
       {{ gen }}
   run_once: true
 
-
 - name: "Check_certs | Set 'gen_node_certs' to true"
   set_fact:
     gen_node_certs: |-
@@ -102,17 +80,3 @@
       {% endfor %}
       }
   run_once: true
-
-- name: "Check_certs | Set 'sync_certs' to true"
-  set_fact:
-    sync_certs: true
-  when: |-
-      {%- set certs = {'sync': False} -%}
-      {% if gen_node_certs[inventory_hostname] or
-        (not kubecert_node.results[0].stat.exists|default(False)) or
-          (not kubecert_node.results[12].stat.exists|default(False)) or
-            (not kubecert_node.results[8].stat.exists|default(False)) or
-              (kubecert_node.results[12].stat.checksum|default('') != kubecert_master.files|selectattr("path", "equalto", kubecert_node.results[12].stat.path)|map(attribute="checksum")|first|default('')) -%}
-                {%- set _ = certs.update({'sync': True}) -%}
-      {% endif %}
-      {{ certs.sync }}
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index 72ff6b46917d0c2505395b9b1f1640c8050ae0ed..1e9211b349ff6a0d7caac8c14c52f24cb780f3a4 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -111,6 +111,34 @@
   tags:
     - facts
 
+- name: "Check certs | check if a cert already exists on node"
+  find:
+    paths: "{{ kube_cert_dir }}"
+    patterns: "*.pem"
+    get_checksum: true
+  register: kubecert_node
+  when: inventory_hostname != groups['kube-master'][0]
+
+- name: "Check_certs | Set 'sync_certs' to true on masters"
+  set_fact:
+    sync_certs: true
+  when: inventory_hostname in groups['kube-master'] and
+        inventory_hostname != groups['kube-master'][0] and
+        (not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
+        kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
+  with_items:
+    - "{{ my_master_certs + all_node_certs }}"
+
+- name: "Check_certs | Set 'sync_certs' to true on nodes"
+  set_fact:
+    sync_certs: true
+  when: inventory_hostname in groups['kube-node'] and
+        inventory_hostname != groups['kube-master'][0] and
+        (not item in kubecert_node.files | map(attribute='path') | map("basename") | list or
+        kubecert_node.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default('') != kubecert_master.files | selectattr("path", "equalto", "{{ kube_cert_dir }}/{{ item }}") | map(attribute="checksum")|first|default(''))
+  with_items:
+    - "{{ my_node_certs }}"
+
 - name: Gen_certs | Gather master certs
   shell: "tar cfz - -C {{ kube_cert_dir }} -T /dev/stdin <<< {{ my_master_certs|join(' ') }} {{ all_node_certs|join(' ') }} | base64 --wrap=0"
   args:
@@ -138,7 +166,7 @@
 # char limit when using shell command
 
 # FIXME(mattymo): Use tempfile module in ansible 2.3
-- name: Gen_certs | Prepare tempfile for unpacking certs
+- name: Gen_certs | Prepare tempfile for unpacking certs on masters
   command: mktemp /tmp/certsXXXXX.tar.gz
   register: cert_tempfile
   when: inventory_hostname in groups['kube-master'] and sync_certs|default(false) and
@@ -162,7 +190,7 @@
         inventory_hostname != groups['kube-master'][0]
   notify: set secret_changed
 
-- name: Gen_certs | Cleanup tempfile
+- name: Gen_certs | Cleanup tempfile on masters
   file:
     path: "{{cert_tempfile.stdout}}"
     state: absent