diff --git a/cmd/controller/certificates.go b/cmd/controller/certificates.go
index 5eb4cb4c7d61..5c57cc1c6691 100644
--- a/cmd/controller/certificates.go
+++ b/cmd/controller/certificates.go
@@ -24,7 +24,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"strconv"
 
 	"github.com/k0sproject/k0s/internal/pkg/file"
 	"github.com/k0sproject/k0s/internal/pkg/users"
@@ -67,8 +66,7 @@ func (c *Certificates) Init(ctx context.Context) error {
 	}
 	c.CACert = string(cert)
 	// Changing the URL here also requires changes in the "k0s kubeconfig admin" subcommand.
-	apiAddress := net.JoinHostPort(c.ClusterSpec.API.Address, strconv.Itoa(c.ClusterSpec.API.Port))
-	kubeConfigAPIUrl := (&url.URL{Scheme: "https", Host: apiAddress}).String()
+	kubeConfigAPIUrl := c.ClusterSpec.API.LocalURL()
 
 	apiServerUID, err := users.LookupUID(constant.ApiserverUser)
 	if err != nil {
@@ -289,7 +287,7 @@ func detectLocalIPs(ctx context.Context) ([]string, error) {
 	return localIPs, nil
 }
 
-func kubeConfig(dest, url, caCert, clientCert, clientKey string, ownerID int) error {
+func kubeConfig(dest string, url *url.URL, caCert, clientCert, clientKey string, ownerID int) error {
 	// We always overwrite the kubeconfigs as the certs might be regenerated at startup
 	const (
 		clusterName = "local"
@@ -300,7 +298,7 @@ func kubeConfig(dest, url, caCert, clientCert, clientKey string, ownerID int) er
 	kubeconfig, err := clientcmd.Write(clientcmdapi.Config{
 		Clusters: map[string]*clientcmdapi.Cluster{clusterName: {
 			// The server URL is replaced in the "k0s kubeconfig admin" subcommand.
-			Server:                   url,
+			Server:                   url.String(),
 			CertificateAuthorityData: []byte(caCert),
 		}},
 		Contexts: map[string]*clientcmdapi.Context{contextName: {
diff --git a/cmd/kubeconfig/admin.go b/cmd/kubeconfig/admin.go
index 754ada5f6c96..18f25ce283cb 100644
--- a/cmd/kubeconfig/admin.go
+++ b/cmd/kubeconfig/admin.go
@@ -65,7 +65,7 @@ func kubeConfigAdminCmd() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			internalURL := fmt.Sprintf("https://localhost:%d", nodeConfig.Spec.API.Port)
+			internalURL := nodeConfig.Spec.API.LocalURL().String()
 			externalURL := nodeConfig.Spec.API.APIAddressURL()
 			for _, c := range adminConfig.Clusters {
 				if c.Server == internalURL {
diff --git a/pkg/apis/k0s/v1beta1/api.go b/pkg/apis/k0s/v1beta1/api.go
index ebfa7e4d181f..1a263a8aaf9c 100644
--- a/pkg/apis/k0s/v1beta1/api.go
+++ b/pkg/apis/k0s/v1beta1/api.go
@@ -18,6 +18,7 @@ package v1beta1
 
 import (
 	"encoding/json"
+	"fmt"
 	"net"
 	"net/url"
 	"strconv"
@@ -72,6 +73,17 @@ func DefaultAPISpec() *APISpec {
 	return a
 }
 
+func (a *APISpec) LocalURL() *url.URL {
+	var host string
+	if a.OnlyBindToAddress {
+		host = net.JoinHostPort(a.Address, strconv.Itoa(a.Port))
+	} else {
+		host = fmt.Sprintf("localhost:%d", a.Port)
+	}
+
+	return &url.URL{Scheme: "https", Host: host}
+}
+
 // APIAddress ...
 func (a *APISpec) APIAddress() string {
 	if a.ExternalAddress != "" {