diff --git a/pkg/machinery/role/role.go b/pkg/machinery/role/role.go
index 27fa16e3d9..3355d351f0 100644
--- a/pkg/machinery/role/role.go
+++ b/pkg/machinery/role/role.go
@@ -54,16 +54,18 @@ func Parse(str []string) (Set, error) {
 	var err *multierror.Error
 
 	for _, r := range str {
+		r = strings.TrimSpace(r)
+
+		// Client certificates generated by previous Talos versions contained one empty organization.
+		if r == "" {
+			continue
+		}
+
 		role := Role(r)
 		if _, ok := all[role]; !ok {
 			err = multierror.Append(err, fmt.Errorf("unexpected role %q", r))
 		}
 
-		role = Role(strings.TrimSpace(r))
-		if role == "" {
-			continue
-		}
-
 		res[role] = struct{}{}
 	}
 
diff --git a/pkg/machinery/role/role_test.go b/pkg/machinery/role/role_test.go
index 4d590898aa..0ade672aeb 100644
--- a/pkg/machinery/role/role_test.go
+++ b/pkg/machinery/role/role_test.go
@@ -15,8 +15,8 @@ import (
 func TestRole(t *testing.T) {
 	t.Parallel()
 
-	set, err := role.Parse([]string{"os:admin", "os:reader", "os:future", "os:impersonator", " "})
-	assert.EqualError(t, err, "2 errors occurred:\n\t* unexpected role \"os:future\"\n\t* unexpected role \" \"\n\n")
+	set, err := role.Parse([]string{"os:admin", "os:reader", "os:future", "os:impersonator", "", " "})
+	assert.EqualError(t, err, "1 error occurred:\n\t* unexpected role \"os:future\"\n\n")
 	assert.Equal(t, role.MakeSet(role.Admin, role.Reader, role.Role("os:future"), role.Impersonator), set)
 
 	assert.Equal(t, []string{"os:admin", "os:future", "os:impersonator", "os:reader"}, set.Strings())