diff --git a/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java b/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java
index 4784a0052473..3ba169375c84 100644
--- a/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java
+++ b/managed/src/main/java/com/yugabyte/yw/common/NodeManager.java
@@ -414,15 +414,15 @@ private List<String> getCertificatePaths(
               serverKeyPath = String.format("%s/%s", tempStorageDirectory, serverKeyFile);
               certsLocation = CERT_LOCATION_PLATFORM;
 
-              if (taskParam.rootAndClientRootCASame && taskParam.enableClientToNodeEncrypt) {
-                // These client certs are used for node to postgres communication
-                // These are separate from clientRoot certs which are used for server to client
-                // communication These are not required anymore as this is not mandatory now and
-                // can be removed. The code is still here to maintain backward compatibility
+              if (taskParam.enableClientToNodeEncrypt) {
+
+                UUID cliRootCA = taskParam.clientRootCA;
+                if (taskParam.rootAndClientRootCASame) cliRootCA = taskParam.rootCA;
+
                 subcommandStrings.add("--client_cert_path");
-                subcommandStrings.add(CertificateHelper.getClientCertFile(taskParam.rootCA));
+                subcommandStrings.add(CertificateHelper.getClientCertFile(cliRootCA));
                 subcommandStrings.add("--client_key_path");
-                subcommandStrings.add(CertificateHelper.getClientKeyFile(taskParam.rootCA));
+                subcommandStrings.add(CertificateHelper.getClientKeyFile(cliRootCA));
               }
             } catch (IOException e) {
               LOG.error(e.getMessage(), e);
@@ -516,6 +516,18 @@ private List<String> getCertificatePaths(
               serverCertPath = String.format("%s/%s", tempStorageDirectory, serverCertFile);
               serverKeyPath = String.format("%s/%s", tempStorageDirectory, serverKeyFile);
               certsLocation = CERT_LOCATION_PLATFORM;
+
+              if (taskParam.enableClientToNodeEncrypt) {
+
+                UUID cliRootCA = taskParam.clientRootCA;
+                if (taskParam.rootAndClientRootCASame) cliRootCA = taskParam.rootCA;
+
+                subcommandStrings.add("--client_cert_path");
+                subcommandStrings.add(CertificateHelper.getClientCertFile(cliRootCA));
+                subcommandStrings.add("--client_key_path");
+                subcommandStrings.add(CertificateHelper.getClientKeyFile(cliRootCA));
+              }
+
             } catch (IOException e) {
               LOG.error(e.getMessage(), e);
               throw new RuntimeException(e);
diff --git a/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java b/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java
index c7b316980d7d..6a4e034de749 100644
--- a/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java
+++ b/managed/src/main/java/com/yugabyte/yw/common/certmgmt/CertificateHelper.java
@@ -545,6 +545,7 @@ public static String getCertPEM(CertificateInfo cert) {
   }
 
   public static String getKeyPEM(CertificateInfo cert) {
+    if (cert.certType == CertConfigType.HashicorpVault) return "";
     String privateKeyPEM = FileUtils.readFileToString(new File(cert.privateKey));
     privateKeyPEM = Base64.getEncoder().encodeToString(privateKeyPEM.getBytes());
     return privateKeyPEM;
@@ -552,9 +553,7 @@ public static String getKeyPEM(CertificateInfo cert) {
 
   public static String getKeyPEM(UUID rootCA) {
     CertificateInfo cert = CertificateInfo.get(rootCA);
-    String privateKeyPEM = FileUtils.readFileToString(new File(cert.privateKey));
-    privateKeyPEM = Base64.getEncoder().encodeToString(privateKeyPEM.getBytes());
-    return privateKeyPEM;
+    return getKeyPEM(cert);
   }
 
   public static String getClientCertFile(UUID rootCA) {
diff --git a/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java b/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java
index 9b2f3f2748ec..0a04e1807eff 100644
--- a/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java
+++ b/managed/src/main/java/com/yugabyte/yw/controllers/handlers/UpgradeUniverseHandler.java
@@ -147,19 +147,27 @@ public UUID rotateCerts(CertsRotateParams requestParams, Customer customer, Univ
     requestParams.universeUUID = universe.universeUUID;
     requestParams.expectedUniverseVersion = universe.version;
     UserIntent userIntent = universe.getUniverseDetails().getPrimaryCluster().userIntent;
+
     // Generate client certs if rootAndClientRootCASame is true and rootCA is self-signed.
     // This is there only for legacy support, no need if rootCA and clientRootCA are different.
     if (userIntent.enableClientToNodeEncrypt && requestParams.rootAndClientRootCASame) {
-      CertificateInfo rootCert = CertificateInfo.get(requestParams.rootCA);
+
+      UUID cliRootCA = requestParams.clientRootCA;
+      if (requestParams.rootAndClientRootCASame) cliRootCA = requestParams.rootCA;
+
+      CertificateInfo rootCert = CertificateInfo.get(cliRootCA);
+      log.debug(
+          "rotateCerts called with clientRootCA: {}",
+          (cliRootCA != null) ? cliRootCA.toString() : "NULL");
       if (rootCert.certType == CertConfigType.SelfSigned
           || rootCert.certType == CertConfigType.HashicorpVault) {
         CertificateHelper.createClientCertificate(
-            requestParams.rootCA,
+            cliRootCA,
             String.format(
                 CertificateHelper.CERT_PATH,
                 runtimeConfigFactory.staticApplicationConf().getString("yb.storage.path"),
                 customer.uuid.toString(),
-                requestParams.rootCA.toString()),
+                cliRootCA.toString()),
             CertificateHelper.DEFAULT_CLIENT,
             null,
             null);