diff --git a/lib/client/api.go b/lib/client/api.go
index 2b052adad14..98c53288a80 100644
--- a/lib/client/api.go
+++ b/lib/client/api.go
@@ -1603,6 +1603,12 @@ func (tc *TeleportClient) Login(ctx context.Context, activateKey bool) (*Key, er
 		if err != nil {
 			return nil, trace.Wrap(err)
 		}
+
+		// Connect to the Auth Server of the main cluster
+		// and fetch the known hosts for this cluster.
+		if err := tc.UpdateTrustedCA(ctx, key.ClusterName); err != nil {
+			return nil, trace.Wrap(err)
+		}
 	}
 	return key, nil
 }
diff --git a/tool/tsh/tsh.go b/tool/tsh/tsh.go
index 09247696140..ad14d9c9f4e 100644
--- a/tool/tsh/tsh.go
+++ b/tool/tsh/tsh.go
@@ -438,12 +438,6 @@ func onLogin(cf *CLIConf) {
 	// Regular login without -i flag.
 	tc.SaveProfile("")
 
-	// Connect to the Auth Server and fetch the known hosts for this cluster.
-	err = tc.UpdateTrustedCA(cf.Context, key.ClusterName)
-	if err != nil {
-		utils.FatalError(err)
-	}
-
 	// Print status to show information of the logged in user. Update the
 	// command line flag (used to print status) for the proxy to make sure any
 	// advertised settings are picked up.