diff --git a/nodeup/pkg/model/BUILD.bazel b/nodeup/pkg/model/BUILD.bazel
index d417b48077e95..cd36f82678888 100644
--- a/nodeup/pkg/model/BUILD.bazel
+++ b/nodeup/pkg/model/BUILD.bazel
@@ -86,6 +86,7 @@ go_test(
     srcs = [
         "containerd_test.go",
         "docker_test.go",
+        "fakes_test.go",
         "kube_apiserver_test.go",
         "kube_proxy_test.go",
         "kube_scheduler_test.go",
diff --git a/nodeup/pkg/model/fakes_test.go b/nodeup/pkg/model/fakes_test.go
new file mode 100644
index 0000000000000..9cfb302e5c1c9
--- /dev/null
+++ b/nodeup/pkg/model/fakes_test.go
@@ -0,0 +1,95 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package model
+
+import (
+	"crypto/x509"
+	"testing"
+
+	"gotest.tools/assert"
+	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/pkg/pki"
+	"k8s.io/kops/upup/pkg/fi"
+	"k8s.io/kops/util/pkg/vfs"
+)
+
+// fakeKeyStore mocks out some of fi.KeyStore, for our tests.
+type fakeKeyStore struct {
+	T *testing.T
+}
+
+var _ fi.Keystore = &fakeKeyStore{}
+
+func (k fakeKeyStore) FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, bool, error) {
+	panic("fakeKeyStore does not implement FindKeypair")
+}
+
+func (k fakeKeyStore) CreateKeypair(signer string, name string, template *x509.Certificate, privateKey *pki.PrivateKey) (*pki.Certificate, error) {
+	panic("fakeKeyStore does not implement CreateKeypair")
+}
+
+func (k fakeKeyStore) StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error {
+	panic("fakeKeyStore does not implement StoreKeypair")
+}
+
+func (k fakeKeyStore) MirrorTo(basedir vfs.Path) error {
+	panic("fakeKeyStore does not implement MirrorTo")
+}
+
+// fakeCAStore mocks out some of fi.CAStore, for our tests.
+// Although CAStore currently embeds KeyStore, we maintain the split here in the hope we can clean this up in future.
+type fakeCAStore struct {
+	fakeKeyStore
+
+	privateKeys map[string]*pki.PrivateKey
+	certs       map[string]*pki.Certificate
+}
+
+var _ fi.CAStore = &fakeCAStore{}
+
+func (k fakeCAStore) FindCertificatePool(name string) (*fi.CertificatePool, error) {
+	panic("fakeCAStore does not implement FindCertificatePool")
+}
+
+func (k fakeCAStore) FindCertificateKeyset(name string) (*kops.Keyset, error) {
+	panic("fakeCAStore does not implement FindCertificateKeyset")
+}
+
+func (k fakeCAStore) FindPrivateKey(name string) (*pki.PrivateKey, error) {
+	assert.Equal(k.T, "apiserver-aggregator-ca", name)
+	return k.privateKeys[name], nil
+}
+
+func (k fakeCAStore) FindPrivateKeyset(name string) (*kops.Keyset, error) {
+	panic("fakeCAStore does not implement FindPrivateKeyset")
+}
+
+func (k fakeCAStore) FindCert(name string) (*pki.Certificate, error) {
+	return k.certs[name], nil
+}
+
+func (k fakeCAStore) ListKeysets() ([]*kops.Keyset, error) {
+	panic("fakeCAStore does not implement ListKeysets")
+}
+
+func (k fakeCAStore) AddCert(name string, cert *pki.Certificate) error {
+	panic("fakeCAStore does not implement AddCert")
+}
+
+func (k fakeCAStore) DeleteKeysetItem(item *kops.Keyset, id string) error {
+	panic("fakeCAStore does not implement DeleteKeysetItem")
+}
diff --git a/nodeup/pkg/model/kube_apiserver_test.go b/nodeup/pkg/model/kube_apiserver_test.go
index e988356bf8a9d..13d9a31106db7 100644
--- a/nodeup/pkg/model/kube_apiserver_test.go
+++ b/nodeup/pkg/model/kube_apiserver_test.go
@@ -21,13 +21,10 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/flagbuilder"
-	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/nodeup/nodetasks"
-	"k8s.io/kops/util/pkg/vfs"
 )
 
 func Test_KubeAPIServer_Builder(t *testing.T) {
@@ -42,7 +39,9 @@ func Test_KubeAPIServer_Builder(t *testing.T) {
 		t.Fatalf("error loading model %q: %v", basedir, err)
 		return
 	}
-	nodeUpModelContext.KeyStore = &fakeKeyStore{T: t}
+	keystore := &fakeCAStore{}
+	keystore.T = t
+	nodeUpModelContext.KeyStore = keystore
 
 	builder := KubeAPIServerBuilder{NodeupModelContext: nodeUpModelContext}
 
@@ -65,55 +64,6 @@ func Test_KubeAPIServer_Builder(t *testing.T) {
 	}
 }
 
-type fakeKeyStore struct {
-	T *testing.T
-}
-
-func (k fakeKeyStore) FindKeypair(name string) (*pki.Certificate, *pki.PrivateKey, bool, error) {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) StoreKeypair(id string, cert *pki.Certificate, privateKey *pki.PrivateKey) error {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) MirrorTo(basedir vfs.Path) error {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) FindCertificatePool(name string) (*fi.CertificatePool, error) {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) FindCertificateKeyset(name string) (*kops.Keyset, error) {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) FindPrivateKey(name string) (*pki.PrivateKey, error) {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) FindPrivateKeyset(name string) (*kops.Keyset, error) {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) FindCert(name string) (*pki.Certificate, error) {
-	assert.Equal(k.T, "apiserver-aggregator-ca", name)
-	return &pki.Certificate{}, nil
-}
-
-func (k fakeKeyStore) ListKeysets() ([]*kops.Keyset, error) {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) AddCert(name string, cert *pki.Certificate) error {
-	panic("implement me")
-}
-
-func (k fakeKeyStore) DeleteKeysetItem(item *kops.Keyset, id string) error {
-	panic("implement me")
-}
-
 func Test_KubeAPIServer_BuildFlags(t *testing.T) {
 	grid := []struct {
 		config   kops.KubeAPIServerConfig
diff --git a/nodeup/pkg/model/kubelet_test.go b/nodeup/pkg/model/kubelet_test.go
index 2b74c026afbd3..59cb795ff47b2 100644
--- a/nodeup/pkg/model/kubelet_test.go
+++ b/nodeup/pkg/model/kubelet_test.go
@@ -21,10 +21,12 @@ import (
 	"path/filepath"
 	"testing"
 
+	"k8s.io/klog"
 	"k8s.io/kops/nodeup/pkg/distros"
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/pkg/assets"
 	"k8s.io/kops/pkg/client/simple/vfsclientset"
+	"k8s.io/kops/pkg/pki"
 	"k8s.io/kops/pkg/testutils"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup"
@@ -232,6 +234,28 @@ func mockedPopulateClusterSpec(c *kops.Cluster) (*kops.Cluster, error) {
 	return cloudup.PopulateClusterSpec(clientset, c, assetBuilder)
 }
 
+// Fixed cert and key, borrowed from the create_kubecfg_test.go test
+// Wouldn't actually work in a real environment, but good enough for (today's) tests
+
+const dummyCertificate = "-----BEGIN CERTIFICATE-----\nMIIC2DCCAcCgAwIBAgIRALJXAkVj964tq67wMSI8oJQwDQYJKoZIhvcNAQELBQAw\nFTETMBEGA1UEAxMKa3ViZXJuZXRlczAeFw0xNzEyMjcyMzUyNDBaFw0yNzEyMjcy\nMzUyNDBaMBUxEzARBgNVBAMTCmt1YmVybmV0ZXMwggEiMA0GCSqGSIb3DQEBAQUA\nA4IBDwAwggEKAoIBAQDgnCkSmtnmfxEgS3qNPaUCH5QOBGDH/inHbWCODLBCK9gd\nXEcBl7FVv8T2kFr1DYb0HVDtMI7tixRVFDLgkwNlW34xwWdZXB7GeoFgU1xWOQSY\nOACC8JgYTQ/139HBEvgq4sej67p+/s/SNcw34Kk7HIuFhlk1rRk5kMexKIlJBKP1\nYYUYetsJ/QpUOkqJ5HW4GoetE76YtHnORfYvnybviSMrh2wGGaN6r/s4ChOaIbZC\nAn8/YiPKGIDaZGpj6GXnmXARRX/TIdgSQkLwt0aTDBnPZ4XvtpI8aaL8DYJIqAzA\nNPH2b4/uNylat5jDo0b0G54agMi97+2AUrC9UUXpAgMBAAGjIzAhMA4GA1UdDwEB\n/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBVGR2r\nhzXzRMU5wriPQAJScszNORvoBpXfZoZ09FIupudFxBVU3d4hV9StKnQgPSGA5XQO\nHE97+BxJDuA/rB5oBUsMBjc7y1cde/T6hmi3rLoEYBSnSudCOXJE4G9/0f8byAJe\nrN8+No1r2VgZvZh6p74TEkXv/l3HBPWM7IdUV0HO9JDhSgOVF1fyQKJxRuLJR8jt\nO6mPH2UX0vMwVa4jvwtkddqk2OAdYQvH9rbDjjbzaiW0KnmdueRo92KHAN7BsDZy\nVpXHpqo1Kzg7D3fpaXCf5si7lqqrdJVXH4JC72zxsPehqgi8eIuqOBkiDWmRxAxh\n8yGeRx9AbknHh4Ia\n-----END CERTIFICATE-----\n"
+const dummyKey = "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEA4JwpEprZ5n8RIEt6jT2lAh+UDgRgx/4px21gjgywQivYHVxH\nAZexVb/E9pBa9Q2G9B1Q7TCO7YsUVRQy4JMDZVt+McFnWVwexnqBYFNcVjkEmDgA\ngvCYGE0P9d/RwRL4KuLHo+u6fv7P0jXMN+CpOxyLhYZZNa0ZOZDHsSiJSQSj9WGF\nGHrbCf0KVDpKieR1uBqHrRO+mLR5zkX2L58m74kjK4dsBhmjeq/7OAoTmiG2QgJ/\nP2IjyhiA2mRqY+hl55lwEUV/0yHYEkJC8LdGkwwZz2eF77aSPGmi/A2CSKgMwDTx\n9m+P7jcpWreYw6NG9BueGoDIve/tgFKwvVFF6QIDAQABAoIBAA0ktjaTfyrAxsTI\nBezb7Zr5NBW55dvuII299cd6MJo+rI/TRYhvUv48kY8IFXp/hyUjzgeDLunxmIf9\n/Zgsoic9Ol44/g45mMduhcGYPzAAeCdcJ5OB9rR9VfDCXyjYLlN8H8iU0734tTqM\n0V13tQ9zdSqkGPZOIcq/kR/pylbOZaQMe97BTlsAnOMSMKDgnftY4122Lq3GYy+t\nvpr+bKVaQZwvkLoSU3rECCaKaghgwCyX7jft9aEkhdJv+KlwbsGY6WErvxOaLWHd\ncuMQjGapY1Fa/4UD00mvrA260NyKfzrp6+P46RrVMwEYRJMIQ8YBAk6N6Hh7dc0G\n8Z6i1m0CgYEA9HeCJR0TSwbIQ1bDXUrzpftHuidG5BnSBtax/ND9qIPhR/FBW5nj\n22nwLc48KkyirlfIULd0ae4qVXJn7wfYcuX/cJMLDmSVtlM5Dzmi/91xRiFgIzx1\nAsbBzaFjISP2HpSgL+e9FtSXaaqeZVrflitVhYKUpI/AKV31qGHf04sCgYEA6zTV\n99Sb49Wdlns5IgsfnXl6ToRttB18lfEKcVfjAM4frnkk06JpFAZeR+9GGKUXZHqs\nz2qcplw4d/moCC6p3rYPBMLXsrGNEUFZqBlgz72QA6BBq3X0Cg1Bc2ZbK5VIzwkg\nST2SSux6ccROfgULmN5ZiLOtdUKNEZpFF3i3qtsCgYADT/s7dYFlatobz3kmMnXK\nsfTu2MllHdRys0YGHu7Q8biDuQkhrJwhxPW0KS83g4JQym+0aEfzh36bWcl+u6R7\nKhKj+9oSf9pndgk345gJz35RbPJYh+EuAHNvzdgCAvK6x1jETWeKf6btj5pF1U1i\nQ4QNIw/QiwIXjWZeubTGsQKBgQCbduLu2rLnlyyAaJZM8DlHZyH2gAXbBZpxqU8T\nt9mtkJDUS/KRiEoYGFV9CqS0aXrayVMsDfXY6B/S/UuZjO5u7LtklDzqOf1aKG3Q\ndGXPKibknqqJYH+bnUNjuYYNerETV57lijMGHuSYCf8vwLn3oxBfERRX61M/DU8Z\nworz/QKBgQDCTJI2+jdXg26XuYUmM4XXfnocfzAXhXBULt1nENcogNf1fcptAVtu\nBAiz4/HipQKqoWVUYmxfgbbLRKKLK0s0lOWKbYdVjhEm/m2ZU8wtXTagNwkIGoyq\nY/C1Lox4f1ROJnCjc/hfcOjcxX5M8A8peecHWlVtUPKTJgxQ7oMKcw==\n-----END RSA PRIVATE KEY-----\n"
+
+func mustParsePrivateKey(s string) *pki.PrivateKey {
+	k, err := pki.ParsePEMPrivateKey([]byte(s))
+	if err != nil {
+		klog.Fatalf("error parsing private key %v", err)
+	}
+	return k
+}
+
+func mustParseCertificate(s string) *pki.Certificate {
+	k, err := pki.ParsePEMCertificate([]byte(s))
+	if err != nil {
+		klog.Fatalf("error parsing certificate %v", err)
+	}
+	return k
+}
+
 func RunGoldenTest(t *testing.T, basedir string, key string, builder func(*NodeupModelContext, *fi.ModelBuilderContext) error) {
 	h := testutils.NewIntegrationTestHarness(t)
 	defer h.Close()
@@ -247,7 +271,25 @@ func RunGoldenTest(t *testing.T, basedir string, key string, builder func(*Nodeu
 		t.Fatalf("error loading model %q: %v", basedir, err)
 		return
 	}
-	nodeupModelContext.KeyStore = &fakeKeyStore{T: t}
+
+	keystore := &fakeCAStore{}
+	keystore.T = t
+	keystore.privateKeys = map[string]*pki.PrivateKey{
+		"ca":                      mustParsePrivateKey(dummyKey),
+		"apiserver-aggregator-ca": mustParsePrivateKey(dummyKey),
+		"kube-controller-manager": mustParsePrivateKey(dummyKey),
+		"kube-proxy":              mustParsePrivateKey(dummyKey),
+		"kube-scheduler":          mustParsePrivateKey(dummyKey),
+	}
+	keystore.certs = map[string]*pki.Certificate{
+		"ca":                      mustParseCertificate(dummyCertificate),
+		"apiserver-aggregator-ca": mustParseCertificate(dummyCertificate),
+		"kube-controller-manager": mustParseCertificate(dummyCertificate),
+		"kube-proxy":              mustParseCertificate(dummyCertificate),
+		"kube-scheduler":          mustParseCertificate(dummyCertificate),
+	}
+
+	nodeupModelContext.KeyStore = keystore
 
 	// Populate the cluster
 	{