diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 4a9800a65034b39f00ace480b6041cfc820e9fcb..ad9456d5b24d286f8a2dd7cca1f4f151f44b92b7 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -222,8 +222,7 @@ event_ttl_duration: "1h0m0s"
 ## Automatically renew K8S control plane certificates on first Monday of each month
 auto_renew_certificates: false
 # First Monday of each month
-auto_renew_certificates_systemd_calendar: "{{ 'Mon *-*-1,2,3,4,5,6,7 03:' ~
-  groups['kube_control_plane'].index(inventory_hostname) ~ '0:00' }}"
+auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00"
 # kubeadm renews all the certificates during control plane upgrade.
 # If we have requirement like without renewing certs upgrade the cluster,
 # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
diff --git a/roles/kubernetes/control-plane/templates/k8s-certs-renew.timer.j2 b/roles/kubernetes/control-plane/templates/k8s-certs-renew.timer.j2
index 904f0073cf490849b394aef488404650f2488f2d..cca5aca3e728170b19a4e9e6c806e8433fa5e23a 100644
--- a/roles/kubernetes/control-plane/templates/k8s-certs-renew.timer.j2
+++ b/roles/kubernetes/control-plane/templates/k8s-certs-renew.timer.j2
@@ -3,6 +3,9 @@ Description=Timer to renew K8S control plane certificates
 
 [Timer]
 OnCalendar={{ auto_renew_certificates_systemd_calendar }}
+RandomizedDelaySec={{ 10 * (groups['kube_control_plane'] | length) }}min
+FixedRandomDelay=yes
+Persistent=yes
 
 [Install]
 WantedBy=multi-user.target