diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
index 1d5ac1d8f8fb87fbb1522c0ac5202fa14407bf33..be03b489f54e23a48ba83d4bf5794c1ead0993d2 100644
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2
@@ -37,6 +37,7 @@ patches:
 apiVersion: kubeadm.k8s.io/v1beta4
 kind: ClusterConfiguration
 clusterName: {{ cluster_name }}
+encryptionAlgorithm: {{ kube_asymmetric_encryption_algorithm }}
 etcd:
 {% if etcd_deployment_type != "kubeadm" %}
   external:
diff --git a/roles/kubernetes/kubeadm/tasks/main.yml b/roles/kubernetes/kubeadm/tasks/main.yml
index bc69d78240e225f5c6e79e6b881029e0f8c7db2c..a65d34eea612a8951b5e0a9a56e0c1720d55051c 100644
--- a/roles/kubernetes/kubeadm/tasks/main.yml
+++ b/roles/kubernetes/kubeadm/tasks/main.yml
@@ -30,7 +30,10 @@
   run_once: true
 
 - name: Calculate kubeadm CA cert hash
-  shell: set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //'
+  shell: |
+    set -o pipefail && openssl x509 -pubkey -in {{ kube_cert_dir }}/ca.crt | \
+    openssl {% if 'RSA' in kube_asymmetric_encryption_algorithm %}rsa{% elif 'ECDSA' in kube_asymmetric_encryption_algorithm %}ec{% else %}rsa{% endif %} -pubin -outform der 2>/dev/null | \
+    openssl dgst -sha256 -hex | sed 's/^.* //'
   args:
     executable: /bin/bash
   register: kubeadm_ca_hash
diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml
index 32a78545a3da6aca3332b34fca18616bdc53c1a5..1210287c8017dc5a5a02b670d6692f6e59f8d523 100644
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -62,6 +62,11 @@ kubeadm_join_phases_skip: >-
 # Set to true to remove the role binding to anonymous users created by kubeadm
 remove_anonymous_access: false
 
+# Supported asymmetric encryption algorithm types for the cluster's keys and certificates.
+# can be one of RSA-2048(default), RSA-3072, RSA-4096, ECDSA-P256
+# ref: https://kubernetes.io/docs/reference/config-api/kubeadm-config.v1beta4/#kubeadm-k8s-io-v1beta4-ClusterConfiguration
+kube_asymmetric_encryption_algorithm: "RSA-2048"
+
 # A string slice of values which specify the addresses to use for NodePorts.
 # Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32).
 # The default empty string slice ([]) means to use all local addresses.
diff --git a/tests/files/packet_debian12-calico.yml b/tests/files/packet_debian12-calico.yml
index 4896d3ba337b5aa017e7ed22af53a31fb8cef054..20e3f239fa3892801d696b7394e154b0aa1ed46d 100644
--- a/tests/files/packet_debian12-calico.yml
+++ b/tests/files/packet_debian12-calico.yml
@@ -6,3 +6,4 @@ mode: default
 # Kubespray settings
 
 dns_mode: coredns_dual
+kube_asymetric_encryption_algorithm: "RSA-3072"
diff --git a/tests/files/packet_rockylinux9-cilium.yml b/tests/files/packet_rockylinux9-cilium.yml
index 2f759f0f5f03881fd8a8363fbe74837002ca76ea..69d4c7377724fdeae55d9dce605055583f3e455a 100644
--- a/tests/files/packet_rockylinux9-cilium.yml
+++ b/tests/files/packet_rockylinux9-cilium.yml
@@ -11,3 +11,4 @@ cilium_kube_proxy_replacement: strict
 
 # Node Feature Discovery
 node_feature_discovery_enabled: true
+kube_asymmetric_encryption_algorithm: "ECDSA-P256"
diff --git a/tests/files/packet_ubuntu20-flannel-ha.yml b/tests/files/packet_ubuntu20-flannel-ha.yml
index 06a9ffb24655f586238c93ab2fe54d1eade1d521..cec99f93407cf13b207cb2744296b5fd0c04dde3 100644
--- a/tests/files/packet_ubuntu20-flannel-ha.yml
+++ b/tests/files/packet_ubuntu20-flannel-ha.yml
@@ -8,3 +8,4 @@ kube_network_plugin: flannel
 etcd_deployment_type: kubeadm
 kubeadm_certificate_key: 3998c58db6497dd17d909394e62d515368c06ec617710d02edea31c06d741085
 skip_non_kubeadm_warning: true
+kube_asymmetric_encryption_algorithm: "RSA-4096"