diff --git a/internal/util/vault_tokens.go b/internal/util/vault_tokens.go
index 6cff2a1aa..80fe22da5 100644
--- a/internal/util/vault_tokens.go
+++ b/internal/util/vault_tokens.go
@@ -63,7 +63,7 @@ type standardVault struct {
 	VaultClientCert    string `json:"VAULT_CLIENT_CERT"`
 	VaultClientKey     string `json:"VAULT_CLIENT_KEY"`
 	VaultNamespace     string `json:"VAULT_NAMESPACE"`
-	VaultSkipVerify    *bool  `json:"VAULT_SKIP_VERIFY"`
+	VaultSkipVerify    string `json:"VAULT_SKIP_VERIFY"`
 }
 
 type vaultTokenConf struct {
@@ -91,8 +91,9 @@ func (v *vaultTokenConf) convertStdVaultToCSIConfig(s *standardVault) {
 	// by default the CA should get verified, only when VaultSkipVerify is
 	// set, verification should be disabled
 	v.VaultCAVerify = "true"
-	if s.VaultSkipVerify != nil {
-		v.VaultCAVerify = strconv.FormatBool(*s.VaultSkipVerify)
+	verify, err := strconv.ParseBool(s.VaultSkipVerify)
+	if err == nil {
+		v.VaultCAVerify = strconv.FormatBool(!verify)
 	}
 }
 
diff --git a/internal/util/vault_tokens_test.go b/internal/util/vault_tokens_test.go
index 8e7c8d080..71c0eefc6 100644
--- a/internal/util/vault_tokens_test.go
+++ b/internal/util/vault_tokens_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package util
 
 import (
+	"encoding/json"
 	"errors"
 	"strings"
 	"testing"
@@ -110,3 +111,50 @@ func TestInitVaultTokensKMS(t *testing.T) {
 		t.Errorf("unexpected error: %s", err)
 	}
 }
+
+// TestStdVaultToCSIConfig converts a JSON document with standard VAULT_*
+// environment variables to a vaultTokenConf structure.
+func TestStdVaultToCSIConfig(t *testing.T) {
+	vaultConfigMap := `{
+		"KMS_PROVIDER":"vaulttokens",
+		"VAULT_ADDR":"https://vault.example.com",
+		"VAULT_BACKEND_PATH":"/secret",
+		"VAULT_CACERT":"",
+		"VAULT_TLS_SERVER_NAME":"vault.example.com",
+		"VAULT_CLIENT_CERT":"",
+		"VAULT_CLIENT_KEY":"",
+		"VAULT_NAMESPACE":"a-department",
+		"VAULT_SKIP_VERIFY":"true"
+	}`
+
+	sv := &standardVault{}
+	err := json.Unmarshal([]byte(vaultConfigMap), sv)
+	if err != nil {
+		t.Errorf("unexpected error: %s", err)
+		return
+	}
+
+	v := vaultTokenConf{}
+	v.convertStdVaultToCSIConfig(sv)
+
+	switch {
+	case v.EncryptionKMSType != kmsTypeVaultTokens:
+		t.Errorf("unexpected value for EncryptionKMSType: %s", v.EncryptionKMSType)
+	case v.VaultAddress != "https://vault.example.com":
+		t.Errorf("unexpected value for VaultAddress: %s", v.VaultAddress)
+	case v.VaultBackendPath != "/secret":
+		t.Errorf("unexpected value for VaultBackendPath: %s", v.VaultBackendPath)
+	case v.VaultCAFromSecret != "":
+		t.Errorf("unexpected value for VaultCAFromSecret: %s", v.VaultCAFromSecret)
+	case v.VaultClientCertFromSecret != "":
+		t.Errorf("unexpected value for VaultClientCertFromSecret: %s", v.VaultClientCertFromSecret)
+	case v.VaultClientCertKeyFromSecret != "":
+		t.Errorf("unexpected value for VaultClientCertKeyFromSecret: %s", v.VaultClientCertKeyFromSecret)
+	case v.VaultNamespace != "a-department":
+		t.Errorf("unexpected value for VaultNamespace: %s", v.VaultNamespace)
+	case v.VaultTLSServerName != "vault.example.com":
+		t.Errorf("unexpected value for VaultTLSServerName: %s", v.VaultTLSServerName)
+	case v.VaultCAVerify != "false":
+		t.Errorf("unexpected value for VaultCAVerify: %s", v.VaultCAVerify)
+	}
+}