diff --git a/internal/kubeadm/types.go b/internal/kubeadm/types.go
index e45ad69..48e9967 100644
--- a/internal/kubeadm/types.go
+++ b/internal/kubeadm/types.go
@@ -18,7 +18,7 @@ type Configuration struct {
 }
 
 func (c *Configuration) Checksum() string {
-	initConfiguration, _ := json.Marshal(c.InitConfiguration)
+	initConfiguration, _ := utilities.EncondeToYaml(&c.InitConfiguration)
 	kubeconfig, _ := json.Marshal(c.Kubeconfig)
 	parameters, _ := json.Marshal(c.Parameters)
 
diff --git a/internal/resources/kubeconfig.go b/internal/resources/kubeconfig.go
index 041b197..5817577 100644
--- a/internal/resources/kubeconfig.go
+++ b/internal/resources/kubeconfig.go
@@ -5,8 +5,6 @@ package resources
 
 import (
 	"context"
-	"crypto/md5"
-	"encoding/hex"
 	"fmt"
 
 	"github.com/go-logr/logr"
@@ -108,19 +106,16 @@ func (r *KubeconfigResource) CreateOrUpdate(ctx context.Context, tenantControlPl
 	return utilities.CreateOrUpdateWithConflict(ctx, r.Client, r.resource, r.mutate(ctx, tenantControlPlane))
 }
 
+func (r *KubeconfigResource) checksum(apiServerCertificatesSecret *corev1.Secret, kubeadmChecksum string) string {
+	return utilities.CalculateConfigMapChecksum(map[string]string{
+		"ca-cert-checksum": string(apiServerCertificatesSecret.Data[kubeadmconstants.CACertName]),
+		"ca-key-checksum":  string(apiServerCertificatesSecret.Data[kubeadmconstants.CAKeyName]),
+		"kubeadmconfig":    kubeadmChecksum,
+	})
+}
+
 func (r *KubeconfigResource) mutate(ctx context.Context, tenantControlPlane *kamajiv1alpha1.TenantControlPlane) controllerutil.MutateFn {
 	return func() error {
-		status, err := r.getKubeconfigStatus(tenantControlPlane)
-		if err != nil {
-			return err
-		}
-
-		if status.Checksum == r.resource.GetAnnotations()["checksum"] {
-			if kubeadm.IsKubeconfigValid(r.resource.Data[r.KubeConfigFileName]) {
-				return nil
-			}
-		}
-
 		config, err := getStoredKubeadmConfiguration(ctx, r, tenantControlPlane)
 		if err != nil {
 			return err
@@ -136,6 +131,19 @@ func (r *KubeconfigResource) mutate(ctx context.Context, tenantControlPlane *kam
 			return err
 		}
 
+		checksum := r.checksum(apiServerCertificatesSecret, config.Checksum())
+
+		status, err := r.getKubeconfigStatus(tenantControlPlane)
+		if err != nil {
+			return err
+		}
+
+		if status.Checksum == checksum {
+			if kubeadm.IsKubeconfigValid(r.resource.Data[r.KubeConfigFileName]) {
+				return nil
+			}
+		}
+
 		kubeconfig, err := kubeadm.CreateKubeconfig(
 			r.KubeConfigFileName,
 			kubeadm.CertificatePrivateKeyPair{
@@ -159,10 +167,8 @@ func (r *KubeconfigResource) mutate(ctx context.Context, tenantControlPlane *kam
 			},
 		))
 
-		hash := md5.Sum(kubeconfig)
-
 		r.resource.SetAnnotations(map[string]string{
-			"checksum": hex.EncodeToString(hash[:]),
+			"checksum": checksum,
 		})
 
 		return ctrl.SetControllerReference(tenantControlPlane, r.resource, r.Client.Scheme())