diff --git a/cmd/openshift-install/agent.go b/cmd/openshift-install/agent.go
index f3f857f48b7..513432616c0 100644
--- a/cmd/openshift-install/agent.go
+++ b/cmd/openshift-install/agent.go
@@ -14,6 +14,7 @@ import (
 	"github.com/openshift/installer/pkg/asset/agent/mirror"
 	"github.com/openshift/installer/pkg/asset/kubeconfig"
 	"github.com/openshift/installer/pkg/asset/password"
+	"github.com/openshift/installer/pkg/asset/tls"
 )
 
 func newAgentCmd(ctx context.Context) *cobra.Command {
@@ -114,7 +115,23 @@ var (
 		},
 	}
 
-	agentTargets = []target{agentConfigTarget, agentManifestsTarget, agentImageTarget, agentPXEFilesTarget, agentConfigImageTarget, agentUnconfiguredIgnitionTarget}
+	agentCertificatesTarget = target{
+		name: "Agent create certificates",
+		command: &cobra.Command{
+			Use:    "certificates",
+			Short:  "Generates the tls certificates that can be used to create kubeconfig",
+			Args:   cobra.ExactArgs(0),
+			Hidden: true,
+		},
+		assets: []asset.WritableAsset{
+			&tls.KubeAPIServerLBSignerCertKey{},
+			&tls.KubeAPIServerLocalhostSignerCertKey{},
+			&tls.KubeAPIServerServiceNetworkSignerCertKey{},
+			&tls.AdminKubeConfigSignerCertKey{},
+		},
+	}
+
+	agentTargets = []target{agentConfigTarget, agentManifestsTarget, agentImageTarget, agentPXEFilesTarget, agentConfigImageTarget, agentUnconfiguredIgnitionTarget, agentCertificatesTarget}
 )
 
 func newAgentCreateCmd(ctx context.Context) *cobra.Command {
diff --git a/cmd/openshift-install/testdata/agent/image/assets/tls_assets.txt b/cmd/openshift-install/testdata/agent/image/assets/tls_assets.txt
new file mode 100644
index 00000000000..47f7bcc4af3
--- /dev/null
+++ b/cmd/openshift-install/testdata/agent/image/assets/tls_assets.txt
@@ -0,0 +1,12 @@
+# Verify that the create certificates command generates the tls assets 
+
+exec openshift-install agent create certificates --dir $WORK
+
+exists $WORK/tls/admin-kubeconfig-signer.crt
+exists $WORK/tls/kube-apiserver-lb-signer.crt
+exists $WORK/tls/kube-apiserver-localhost-signer.crt
+exists $WORK/tls/kube-apiserver-service-network-signer.crt
+exists $WORK/tls/admin-kubeconfig-signer.key
+exists $WORK/tls/kube-apiserver-lb-signer.key 
+exists $WORK/tls/kube-apiserver-localhost-signer.key
+exists $WORK/tls/kube-apiserver-service-network-signer.key