diff --git a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
index 35e16df3ea..f3ab21f37e 100755
--- a/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
+++ b/cluster/saltbase/salt/generate-cert/make-ca-cert.sh
@@ -20,6 +20,7 @@ set -o pipefail
 
 cert_ip=$1
 cert_dir=/srv/kubernetes
+cert_file_owner=apiserver.apiserver
 
 mkdir -p "$cert_dir"
 
@@ -61,3 +62,5 @@ cp -p pki/private/kubernetes-master.key "${cert_dir}/server.key" > /dev/null 2>&
 cp -p pki/ca.crt "${cert_dir}/ca.crt"
 cp -p pki/issued/kubecfg.crt "${cert_dir}/kubecfg.crt"
 cp -p pki/private/kubecfg.key "${cert_dir}/kubecfg.key"
+# Make server certs accessible to apiserver.
+chown $cert_file_owner "${cert_dir}/server.key" "${cert_dir}/server.cert" "${cert_dir}/ca.cert"
diff --git a/cluster/saltbase/salt/generate-cert/make-cert.sh b/cluster/saltbase/salt/generate-cert/make-cert.sh
index cb4d93ad9f..f878486bc6 100755
--- a/cluster/saltbase/salt/generate-cert/make-cert.sh
+++ b/cluster/saltbase/salt/generate-cert/make-cert.sh
@@ -15,7 +15,9 @@
 # limitations under the License.
 
 cert_dir=/srv/kubernetes
+cert_file_owner=apiserver.apiserver
 
 openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
   -subj "/CN=kubernetes.invalid/O=Kubernetes" \
   -keyout "${cert_dir}/server.key" -out "${cert_dir}/server.cert"
+chown $cert_file_owner "${cert_dir}/server.key" "${cert_dir}/server.cert"