diff --git a/cmd/dkl-local-server/tls-ca.go b/cmd/dkl-local-server/tls-ca.go
index 21e647a..87f07c6 100644
--- a/cmd/dkl-local-server/tls-ca.go
+++ b/cmd/dkl-local-server/tls-ca.go
@@ -148,6 +148,7 @@ func getUsableKeyCert(cluster, caName, name, profile, label string, req *csr.Cer
 					return
 				}
 
+				log.Print("cert verify:\n", string(kc.Cert), "\n\nagainst CA certs:\n", string(ca.Cert))
 				_, err = cert.Verify(x509.VerifyOptions{Roots: pool})
 				return
 			}()
diff --git a/cmd/dkl-local-server/ws-cluster-cas.go b/cmd/dkl-local-server/ws-cluster-cas.go
index 7e08c95..f413267 100644
--- a/cmd/dkl-local-server/ws-cluster-cas.go
+++ b/cmd/dkl-local-server/ws-cluster-cas.go
@@ -2,7 +2,9 @@ package main
 
 import (
 	"fmt"
+	"time"
 
+	"github.com/cloudflare/cfssl/helpers"
 	"github.com/cloudflare/cfssl/log"
 	restful "github.com/emicklei/go-restful"
 )
@@ -55,11 +57,22 @@ func getUsableClusterCA(cluster, name string) (ca CA, err error) {
 	if checkErr != nil {
 		log.Infof("cluster %s: CA %s: regenerating certificate: %v", cluster, name, checkErr)
 
+		prevCerts, _ := helpers.ParseCertificatesPEM(ca.Cert)
+
 		err = ca.RenewCert()
 		if err != nil {
 			err = fmt.Errorf("renew: %w", err)
 		}
 
+		now := time.Now()
+		for _, cert := range prevCerts {
+			if cert.NotAfter.After(now) {
+				continue
+			}
+			certPEM := helpers.EncodeCertificatePEM(cert)
+			ca.Cert = append(ca.Cert, certPEM...)
+		}
+
 		err = clusterCAs.Put(key, ca)
 	}