diff --git a/nodeup/pkg/model/context.go b/nodeup/pkg/model/context.go
index ce0b1b8822a8f..2edf112c5b7a9 100644
--- a/nodeup/pkg/model/context.go
+++ b/nodeup/pkg/model/context.go
@@ -446,7 +446,6 @@ func (c *NodeupModelContext) BuildCertificateTask(ctx *fi.ModelBuilderContext, n
 	if err != nil {
 		return err
 	}
-
 	p := filename
 	if !filepath.IsAbs(p) {
 		p = filepath.Join(c.PathSrvKubernetes(), filename)
diff --git a/nodeup/pkg/model/secrets.go b/nodeup/pkg/model/secrets.go
index 7ed566814a8b5..3c46014efad74 100644
--- a/nodeup/pkg/model/secrets.go
+++ b/nodeup/pkg/model/secrets.go
@@ -120,6 +120,10 @@ func (b *SecretBuilder) Build(c *fi.ModelBuilderContext) error {
 			Subject:        nodetasks.PKIXName{CommonName: "kubernetes-master"},
 			AlternateNames: alternateNames,
 		}
+
+		// Including the CA certificate is more correct, and is needed for e.g. AWS WebIdentity federation
+		issueCert.IncludeRootCertificate = true
+
 		c.AddTask(issueCert)
 		err := issueCert.AddFileTasks(c, b.PathSrvKubernetes(), "server", "", nil)
 		if err != nil {
diff --git a/nodeup/pkg/model/tests/golden/minimal/tasks-secret.yaml b/nodeup/pkg/model/tests/golden/minimal/tasks-secret.yaml
index 06301c9dd905e..e0d573956ebb9 100644
--- a/nodeup/pkg/model/tests/golden/minimal/tasks-secret.yaml
+++ b/nodeup/pkg/model/tests/golden/minimal/tasks-secret.yaml
@@ -70,6 +70,7 @@ contents:
     - api.internal.minimal.example.com
     - 100.64.0.1
     - 127.0.0.1
+    includeRootCertificate: true
     signer: ca
     subject:
       CommonName: kubernetes-master
@@ -90,6 +91,7 @@ contents:
     - api.internal.minimal.example.com
     - 100.64.0.1
     - 127.0.0.1
+    includeRootCertificate: true
     signer: ca
     subject:
       CommonName: kubernetes-master
@@ -146,6 +148,7 @@ alternateNames:
 - api.internal.minimal.example.com
 - 100.64.0.1
 - 127.0.0.1
+includeRootCertificate: true
 signer: ca
 subject:
   CommonName: kubernetes-master
diff --git a/upup/pkg/fi/nodeup/nodetasks/issue_cert.go b/upup/pkg/fi/nodeup/nodetasks/issue_cert.go
index 9a93f17712e8e..003ba4dee7ef3 100644
--- a/upup/pkg/fi/nodeup/nodetasks/issue_cert.go
+++ b/upup/pkg/fi/nodeup/nodetasks/issue_cert.go
@@ -54,6 +54,9 @@ type IssueCert struct {
 	Subject        PKIXName `json:"subject"`
 	AlternateNames []string `json:"alternateNames,omitempty"`
 
+	// IncludeRootCertificate will force the certificate data to include the full chain, not just the leaf
+	IncludeRootCertificate bool `json:"includeRootCertificate,omitempty"`
+
 	cert *fi.TaskDependentResource
 	key  *fi.TaskDependentResource
 	ca   *fi.TaskDependentResource
@@ -160,6 +163,18 @@ func (e *IssueCert) Run(c *fi.Context) error {
 	keyResource.Resource = &asBytesResource{privateKey}
 	caResource.Resource = &asBytesResource{caCertificate}
 
+	if e.IncludeRootCertificate {
+		var b bytes.Buffer
+		if _, err := certificate.WriteTo(&b); err != nil {
+			return err
+		}
+		b.WriteString("\n")
+		if _, err := caCertificate.WriteTo(&b); err != nil {
+			return err
+		}
+		certResource.Resource = fi.NewBytesResource(b.Bytes())
+	}
+
 	return nil
 }