diff --git a/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml b/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml
index f0a60ed91..670d4d366 100644
--- a/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml
+++ b/playbookconfig/src/playbooks/roles/bootstrap/apply-manifest/tasks/apply_bootstrap_manifest.yml
@@ -154,6 +154,13 @@
         name: common/create-etcd-certs
     when: etcd_certs_find_output.matched == 0
 
+  - name: Check if apiserver-keys are present in the backup tarball
+    shell: "tar -tf {{ restore_data_file }} | grep 'etc/kubernetes/pki/apiserver-etcd-client.*'"
+    args:
+      warn: false
+    failed_when: false
+    register: apiserver_etcd_certs_find_output
+
   - name: Extract apiserver-keys from /etc/kubernetes/pki
     shell: tar -C /etc/etcd/ --overwrite -xpf {{ restore_data_file }} {{ item }} --strip-components 3
     args:
@@ -162,7 +169,7 @@
       - "{{ kubeadm_pki_dir | regex_replace('^\\/', '') }}/apiserver-etcd-client.crt"
       - "{{ kubeadm_pki_dir | regex_replace('^\\/', '') }}/apiserver-etcd-client.key"
     become_user: root
-    when: mode == 'restore'
+    when: apiserver_etcd_certs_find_output.rc == 0
 
   - name: Look for ssh_config dir in the backup tarball
     shell: "tar -tf {{ restore_data_file }} | grep 'opt/platform/config/.*/ssh_config'"