diff --git a/lib/client/api.go b/lib/client/api.go
index 42fb5d19e92c2..7645f8f7ce8f2 100644
--- a/lib/client/api.go
+++ b/lib/client/api.go
@@ -1708,6 +1708,7 @@ func (tc *TeleportClient) Login(ctx context.Context, activateKey bool) (*Key, er
 	key.Cert = response.Cert
 	key.TLSCert = response.TLSCert
 	key.ProxyHost = webProxyHost
+	key.TrustedCA = response.HostSigners
 
 	// Check that a host certificate for at least one cluster was returned and
 	// extract the name of the current cluster from the first host certificate.
diff --git a/tool/tsh/tsh.go b/tool/tsh/tsh.go
index b9cd5348ecad2..944e365e8264a 100644
--- a/tool/tsh/tsh.go
+++ b/tool/tsh/tsh.go
@@ -419,7 +419,7 @@ func onLogin(cf *CLIConf) {
 	if profile != nil && !profile.IsExpired(clockwork.NewRealClock()) {
 		switch {
 		// in case if nothing is specified, print current status
-		case cf.Proxy == "" && cf.SiteName == "" && cf.DesiredRoles == "":
+		case cf.Proxy == "" && cf.SiteName == "" && cf.DesiredRoles == "" && cf.IdentityFileOut == "":
 			printProfiles(cf.Debug, profile, profiles)
 			return
 		// in case if parameters match, print current status
@@ -447,7 +447,7 @@ func onLogin(cf *CLIConf) {
 		// proxy is unspecified or the same as the currently provided proxy,
 		// but desired roles are specified, treat this as a privilege escalation
 		// request for the same login session.
-		case (cf.Proxy == "" || host(cf.Proxy) == host(profile.ProxyURL.Host)) && cf.DesiredRoles != "":
+		case (cf.Proxy == "" || host(cf.Proxy) == host(profile.ProxyURL.Host)) && cf.DesiredRoles != "" && cf.IdentityFileOut == "":
 			executeAccessRequest(cf)
 			return
 		// otherwise just passthrough to standard login