diff --git a/lib/auth/init.go b/lib/auth/init.go
index 80292936e34a1..d16738d4fb2c6 100644
--- a/lib/auth/init.go
+++ b/lib/auth/init.go
@@ -924,7 +924,15 @@ func ReadIdentity(dataDir string, id IdentityID) (i *Identity, err error) {
 		}
 	}
 
-	return ReadIdentityFromKeyPair(keyBytes, sshCertBytes, tlsCertBytes, tlsCACertBytes)
+	identity, err := ReadIdentityFromKeyPair(keyBytes, sshCertBytes, tlsCertBytes, tlsCACertBytes)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	// Inject nodename back into identity read from disk.
+	identity.ID.NodeName = id.NodeName
+
+	return identity, nil
 }
 
 // WriteIdentity writes identity keypair to disk
diff --git a/lib/service/service.go b/lib/service/service.go
index c6a5631d86eb5..68333126227ab 100644
--- a/lib/service/service.go
+++ b/lib/service/service.go
@@ -196,7 +196,11 @@ func (process *TeleportProcess) readIdentity(role teleport.Role) (*auth.Identity
 	process.Lock()
 	defer process.Unlock()
 
-	id := auth.IdentityID{HostUUID: process.Config.HostUUID, Role: role}
+	id := auth.IdentityID{
+		Role:     role,
+		HostUUID: process.Config.HostUUID,
+		NodeName: process.Config.Hostname,
+	}
 	identity, err := auth.ReadIdentity(process.Config.DataDir, id)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -219,7 +223,11 @@ func (process *TeleportProcess) GetIdentity(role teleport.Role) (i *auth.Identit
 		return i, nil
 	}
 
-	id := auth.IdentityID{HostUUID: process.Config.HostUUID, Role: role}
+	id := auth.IdentityID{
+		Role:     role,
+		HostUUID: process.Config.HostUUID,
+		NodeName: process.Config.Hostname,
+	}
 	i, err = auth.ReadIdentity(process.Config.DataDir, id)
 	if err != nil {
 		if trace.IsNotFound(err) {