diff --git a/modules/bootkube/assets.tf b/modules/bootkube/assets.tf
index 383817bd00..4f734f29f4 100644
--- a/modules/bootkube/assets.tf
+++ b/modules/bootkube/assets.tf
@@ -26,7 +26,7 @@ resource "template_folder" "bootkube" {
     oidc_username_claim = "${var.oidc_username_claim}"
     oidc_groups_claim = "${var.oidc_groups_claim}"
 
-    ca_cert = "${base64encode(tls_self_signed_cert.kube-ca.cert_pem)}"
+    ca_cert = "${base64encode(var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_cert)}"
     apiserver_key = "${base64encode(tls_private_key.apiserver.private_key_pem)}"
     apiserver_cert = "${base64encode(tls_locally_signed_cert.apiserver.cert_pem)}"
     serviceaccount_pub = "${base64encode(tls_private_key.service-account.public_key_pem)}"
@@ -39,7 +39,7 @@ data "template_file" "kubeconfig" {
   template = "${file("${path.module}/resources/kubeconfig")}"
 
   vars {
-    ca_cert = "${base64encode(tls_self_signed_cert.kube-ca.cert_pem)}"
+    ca_cert = "${base64encode(var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_cert)}"
     kubelet_cert = "${base64encode(tls_locally_signed_cert.kubelet.cert_pem)}"
     kubelet_key = "${base64encode(tls_private_key.kubelet.private_key_pem)}"
     server = "${var.kube_apiserver_url}"
diff --git a/modules/bootkube/assets_tls.tf b/modules/bootkube/assets_tls.tf
index da9ce6d3b8..5b712bf5a0 100644
--- a/modules/bootkube/assets_tls.tf
+++ b/modules/bootkube/assets_tls.tf
@@ -1,3 +1,16 @@
+# NOTE: Across this module, the following syntax is used at various places:
+#   `"${var.ca_cert == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_key}"`
+#
+# Due to https://github.com/hashicorp/hil/issues/50, both sides of conditions
+# are evaluated, until one of them is discarded. Unfortunately, the
+# `{tls_private_key/tls_self_signed_cert}.kube-ca` resources are created
+# conditionally and might not be present - in which case an error is
+# generated. Because a `count` is used on these ressources, the resources can be
+# referenced as lists with the `.*` notation, and arrays are allowed to be
+# empty. The `join()` interpolation function is then used to cast them back to
+# a string. Since `count` can only be 0 or 1, the returned value is either empty
+# (and discarded anyways) or the desired value.
+
 # Kubernetes CA (resources/generated/tls/{ca.crt,ca.key})
 resource "tls_private_key" "kube-ca" {
   count = "${var.ca_cert == "" ? 1 : 0}"
@@ -27,12 +40,12 @@ resource "tls_self_signed_cert" "kube-ca" {
 }
 
 resource "localfile_file" "kube-ca-key" {
-  content = "${var.ca_cert == "" ? tls_private_key.kube-ca.private_key_pem : var.ca_key}"
+  content = "${var.ca_cert == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_key}"
   destination = "${path.cwd}/generated/tls/ca.key"
 }
 
 resource "localfile_file" "kube-ca-crt" {
-  content = "${var.ca_cert == "" ? tls_self_signed_cert.kube-ca.cert_pem : var.ca_cert}"
+  content = "${var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_cert}"
   destination = "${path.cwd}/generated/tls/ca.crt"
 }
 
@@ -67,9 +80,9 @@ resource "tls_cert_request" "apiserver" {
 resource "tls_locally_signed_cert" "apiserver" {
   cert_request_pem = "${tls_cert_request.apiserver.cert_request_pem}"
 
-  ca_key_algorithm = "${var.ca_cert == "" ? tls_self_signed_cert.kube-ca.key_algorithm : var.ca_key_alg}"
-  ca_private_key_pem = "${var.ca_cert == "" ? tls_private_key.kube-ca.private_key_pem : var.ca_key}"
-  ca_cert_pem = "${var.ca_cert == "" ? tls_self_signed_cert.kube-ca.cert_pem : var.ca_cert}"
+  ca_key_algorithm = "${var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.key_algorithm) : var.ca_key_alg}"
+  ca_private_key_pem = "${var.ca_cert == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_key}"
+  ca_cert_pem = "${var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem): var.ca_cert}"
 
   validity_period_hours = 8760
   allowed_uses = [
@@ -125,9 +138,9 @@ resource "tls_cert_request" "kubelet" {
 resource "tls_locally_signed_cert" "kubelet" {
   cert_request_pem = "${tls_cert_request.kubelet.cert_request_pem}"
 
-  ca_key_algorithm = "${var.ca_cert == "" ? tls_self_signed_cert.kube-ca.key_algorithm : var.ca_key_alg}"
-  ca_private_key_pem = "${var.ca_cert == "" ? tls_private_key.kube-ca.private_key_pem : var.ca_key}"
-  ca_cert_pem = "${var.ca_cert == "" ? tls_self_signed_cert.kube-ca.cert_pem : var.ca_cert}"
+  ca_key_algorithm = "${var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.key_algorithm) : var.ca_key_alg}"
+  ca_private_key_pem = "${var.ca_cert == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_key}"
+  ca_cert_pem = "${var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_cert}"
 
   validity_period_hours = 8760
   allowed_uses = [
diff --git a/modules/bootkube/outputs.tf b/modules/bootkube/outputs.tf
index e4b1a973ab..83b77a6670 100644
--- a/modules/bootkube/outputs.tf
+++ b/modules/bootkube/outputs.tf
@@ -24,13 +24,13 @@ output "kubeconfig" {
 }
 
 output "ca_cert" {
-  value = "${var.ca_cert == "" ? tls_self_signed_cert.kube-ca.cert_pem : var.ca_cert}"
+  value = "${var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.cert_pem) : var.ca_cert}"
 }
 
 output "ca_key_alg" {
-  value = "${var.ca_cert == "" ? tls_self_signed_cert.kube-ca.key_algorithm : var.ca_key_alg}"
+  value = "${var.ca_cert == "" ? join(" ", tls_self_signed_cert.kube-ca.*.key_algorithm) : var.ca_key_alg}"
 }
 
 output "ca_key" {
-  value = "${var.ca_cert == "" ? tls_private_key.kube-ca.private_key_pem : var.ca_key}"
+  value = "${var.ca_cert == "" ? join(" ", tls_private_key.kube-ca.*.private_key_pem) : var.ca_key}"
 }