diff --git a/lib/bootstrap.py b/lib/bootstrap.py
index 71e2e9e354aab92a6ffe0a5a7ebcabb433e40ee0..0d998f05c2712945f8a420f16657a4904772d3b6 100644
--- a/lib/bootstrap.py
+++ b/lib/bootstrap.py
@@ -324,16 +324,20 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
   sshrunner = ssh.SshRunner(cluster_name)
 
   noded_cert = utils.ReadFile(constants.SSL_CERT_FILE)
+  rapi_cert = utils.ReadFile(constants.RAPI_CERT_FILE)
 
   # in the base64 pem encoding, neither '!' nor '.' are valid chars,
   # so we use this to detect an invalid certificate; as long as the
   # cert doesn't contain this, the here-document will be correctly
   # parsed by the shell sequence below
-  if re.search('^!EOF\.', noded_cert, re.MULTILINE):
+  if (re.search('^!EOF\.', noded_cert, re.MULTILINE) or
+      re.search('^!EOF\.', rapi_cert, re.MULTILINE)):
     raise errors.OpExecError("invalid PEM encoding in the SSL certificate")
 
   if not noded_cert.endswith("\n"):
     noded_cert += "\n"
+  if not rapi_cert.endswith("\n"):
+    rapi_cert += "\n"
 
   # set up inter-node password and certificate and restarts the node daemon
   # and then connect with ssh to set password and start ganeti-noded
@@ -341,8 +345,12 @@ def SetupNodeDaemon(cluster_name, node, ssh_key_check):
   # either by being constants or by the checks above
   mycommand = ("umask 077 && "
                "cat > '%s' << '!EOF.' && \n"
-               "%s!EOF.\n%s restart" %
+               "%s!EOF.\n"
+               "cat > '%s' << '!EOF.' && \n"
+               "%s!EOF.\n"
+               "%s restart" %
                (constants.SSL_CERT_FILE, noded_cert,
+                constants.RAPI_CERT_FILE, rapi_cert,
                 constants.NODE_INITD_SCRIPT))
 
   result = sshrunner.Run(node, 'root', mycommand, batch=False,