diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go
index 76d440928c..5c57c8ce93 100644
--- a/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go
+++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_validation.go
@@ -374,6 +374,10 @@ func (c *ClusterConfig) Validate(isControlPlane bool) error {
 		}
 	}
 
+	if c.ClusterCA != nil && !isControlPlane && len(c.ClusterCA.Key) > 0 {
+		result = multierror.Append(result, errors.New("cluster CA key is not allowed on non-controlplane nodes (.cluster.ca)"))
+	}
+
 	result = multierror.Append(
 		result,
 		c.ClusterInlineManifests.Validate(),