diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml
index 6f3b17a..e95aa0b 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/tasks/clusterapi.yml
@@ -1,17 +1,27 @@
-- name: Configure clusterctl with hypervisor details
-  ansible.builtin.blockinfile:
-    path: /opt/metacluster/manifests/clusterctl.yaml
-    block: |
-      ## -- Controller settings -- ##
-      VSPHERE_USERNAME: {{ vapp['hv.username'] }}
-      VSPHERE_PASSWORD: {{ vapp['hv.password'] }}
-      ## -- Required workload cluster default settings -- ##
-      VSPHERE_SERVER: {{ vapp['hv.fqdn'] }}
-      VSPHERE_DATACENTER: {{ vcenter_info.datacenter }}
-      VSPHERE_DATASTORE: {{ vcenter_info.datastore }}
-      VSPHERE_NETWORK: {{ vcenter_info.network }}
-      # VSPHERE_RESOURCE_POOL: ""
-      # VSPHERE_FOLDER: ""
-      # VSPHERE_TEMPLATE: "centos-7-kube-v1.18.2"
-      # VSPHERE_SSH_AUTHORIZED_KEY: "output of cat /root/.ssh/id_rsa.pub"
-    marker: '# {mark} ANSIBLE MANAGED BLOCK'
+- name: Retrieve hypervisor TLS thumbprint
+  ansible.builtin.shell:
+    cmd: openssl s_client -connect {{ vapp['hv.fqdn'] }}:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout -in /dev/stdin
+  register: tls_thumbprint
+
+- name: Configure clusterctl
+  ansible.builtin.template:
+    src: clusterctl.j2
+    dest: /opt/metacluster/manifests/clusterctl.yaml
+  vars:
+    _template:
+      version:
+        base: "{{ components.clusterapi.management.version.base }}"
+        cert_manager: "{{ components.clusterapi.management.version.cert_manager }}"
+        infrastructure_vsphere: "{{ components.clusterapi.management.version.infrastructure_vsphere }}"
+      hv:
+        fqdn: "{{ vapp['hv.fqdn'] }}"
+        tlsthumbprint: "{{ (tls_thumbprint.stdout | split('='))[-1] }}"
+        username: "{{ vapp['hv.username'] }}"
+        password: "{{ vapp['hv.password'] }}"
+        datacenter: "{{ vcenter_info.datacenter }}"
+        datastore: "{{ vcenter_info.datastore }}"
+        network: "{{ vcenter_info.network }}"
+      cluster:
+        publickey: "{{ vapp['guestinfo.rootsshkey'] }}"
+        version: "{{ components.clusterapi.workload.version.k8s }}"
+        vip: "{{ vapp['workloadcluster.vip'] }}"
diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/templates/clusterctl.j2 b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/templates/clusterctl.j2
new file mode 100644
index 0000000..c0898c9
--- /dev/null
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/workloadcluster/templates/clusterctl.j2
@@ -0,0 +1,38 @@
+providers:
+  - name: "kubeadm"
+    url: "/opt/metacluster/manifests/bootstrap-kubeadm/{{ _template.version.base }}/bootstrap-components.yaml"
+    type: "BootstrapProvider"
+  - name: "cluster-api"
+    url: "/opt/metacluster/manifests/cluster-api/{{ _template.version.base }}/core-components.yaml"
+    type: "CoreProvider"
+  - name: "kubeadm"
+    url: "/opt/metacluster/manifests/control-plane-kubeadm/{{ _template.version.base }}/control-plane-components.yaml"
+    type: "ControlPlaneProvider"
+  - name: "vsphere"
+    url: "/opt/metacluster/manifests/infrastructure-vsphere/{{ _template.version.infrastructure_vsphere }}/infrastructure-components.yaml"
+    type: "InfrastructureProvider"
+
+cert-manager:
+  url: "/opt/metacluster/manifests/cert-manager/{{ _template.version.cert_manager }}/cert-manager.yaml"
+
+## -- Controller settings -- ##
+VSPHERE_SERVER: "{{ _template.hv.fqdn }}"
+VSPHERE_TLS_THUMBPRINT: "{{ _template.hv.tlsthumbprint }}"
+VSPHERE_USERNAME: "{{ _template.hv.username }}"
+VSPHERE_PASSWORD: "{{ _template.hv.password }}"
+
+## -- Required workload cluster default settings -- ##
+VSPHERE_DATACENTER: "{{ _template.hv.datacenter }}"
+VSPHERE_DATASTORE: "{{ _template.hv.datastore }}"
+VSPHERE_STORAGE_POLICY: ""
+VSPHERE_NETWORK: "{{ _template.hv.network }}"
+VSPHERE_RESOURCE_POOL: "{{ _template.hv.resourcepool }}"
+VSPHERE_FOLDER: ""
+VSPHERE_TEMPLATE: "{{ _template.hv.nodetemplate }}"
+
+KUBERNETES_VERSION: "{{ _template.cluster.version }}"
+CONTROL_PLANE_ENDPOINT_IP: "{{ _template.cluster.vip }}"
+VIP_NETWORK_INTERFACE: "ens192"
+EXP_CLUSTER_RESOURCE_SET: "true"
+
+VSPHERE_SSH_AUTHORIZED_KEY: "{{ _template.cluster.publickey }}"
diff --git a/ansible/roles/metacluster/tasks/components.yml b/ansible/roles/metacluster/tasks/components.yml
index 119d6c9..1c5ca75 100644
--- a/ansible/roles/metacluster/tasks/components.yml
+++ b/ansible/roles/metacluster/tasks/components.yml
@@ -37,14 +37,10 @@
       loop_control:
         label: "{{ item.key }}"
 
-    - debug:
-        msg: |
-          {{ { 'components': (chart_values | combine({ 'clusterapi': components.clusterapi })) } | to_nice_yaml(indent=2, width=4096) }}
-
     - name: Write dict to vars_file
       ansible.builtin.copy:
         dest: /opt/firstboot/ansible/vars/metacluster.yml
-        content: "{{ { 'components': chart_values } | to_nice_yaml(indent=2, width=4096) }}"
+        content: "{{ { 'components': (chart_values | combine({ 'clusterapi': components.clusterapi })) } | to_nice_yaml(indent=2, width=4096) }}"
 
 - block:
 
@@ -91,17 +87,6 @@
       ansible.builtin.set_fact:
         clusterapi_containerimages: "{{ parsedmanifests | json_query('results[*].stdout_lines') | select() | flatten }}"
 
-    - name: Configure clusterctl
-      ansible.builtin.template:
-        src: clusterctl.j2
-        dest: /opt/metacluster/manifests/clusterctl.yaml
-      vars:
-        _template:
-          version:
-            base: "{{ components.clusterapi.management.version.base }}"
-            cert_manager: "{{ components.clusterapi.management.version.cert_manager }}"
-            infrastructure_vsphere: "{{ components.clusterapi.management.version.infrastructure_vsphere }}"
-
 - name: Parse helm charts for container images
   ansible.builtin.shell:
     cmd: "{{ item.value.helm.parse_logic }}"
diff --git a/ansible/roles/metacluster/templates/clusterctl.j2 b/ansible/roles/metacluster/templates/clusterctl.j2
deleted file mode 100644
index 6f89d0f..0000000
--- a/ansible/roles/metacluster/templates/clusterctl.j2
+++ /dev/null
@@ -1,16 +0,0 @@
-providers:
-  - name: "kubeadm"
-    url: "/opt/metacluster/manifests/bootstrap-kubeadm/{{ _template.version.base }}/bootstrap-components.yaml"
-    type: "BootstrapProvider"
-  - name: "cluster-api"
-    url: "/opt/metacluster/manifests/cluster-api/{{ _template.version.base }}/core-components.yaml"
-    type: "CoreProvider"
-  - name: "kubeadm"
-    url: "/opt/metacluster/manifests/control-plane-kubeadm/{{ _template.version.base }}/control-plane-components.yaml"
-    type: "ControlPlaneProvider"
-  - name: "vsphere"
-    url: "/opt/metacluster/manifests/infrastructure-vsphere/{{ _template.version.infrastructure_vsphere }}/infrastructure-components.yaml"
-    type: "InfrastructureProvider"
-
-cert-manager:
-  url: "/opt/metacluster/manifests/cert-manager/{{ _template.version.cert_manager }}/cert-manager.yaml"