diff --git a/pkg/tls/reader.go b/pkg/tls/reader.go
index e8ca0fedbf..d2ea96612e 100644
--- a/pkg/tls/reader.go
+++ b/pkg/tls/reader.go
@@ -42,7 +42,7 @@ func ReadRootCASecret(restConfig *rest.Config, client *client.Client) (result []
 		managedByKyverno = label == "kyverno"
 	}
 	deplHashSec, ok = stlsca.GetAnnotations()[MasterDeploymentUID]
-	if managedByKyverno && (!ok || deplHashSec != deplHash) {
+	if managedByKyverno && (ok && deplHashSec != deplHash) {
 		return nil, fmt.Errorf("outdated secret")
 	}
 
@@ -85,7 +85,7 @@ func ReadTLSPair(restConfig *rest.Config, client *client.Client) (*PemPair, erro
 		managedByKyverno = label == "kyverno"
 	}
 	deplHashSec, ok = unstrSecret.GetAnnotations()[MasterDeploymentUID]
-	if managedByKyverno && (!ok || deplHashSec != deplHash) {
+	if managedByKyverno && (ok && deplHashSec != deplHash) {
 		return nil, fmt.Errorf("outdated secret")
 	}