diff --git a/plans/upgrade.pp b/plans/upgrade.pp
index 15b240fe..9b8a4116 100644
--- a/plans/upgrade.pp
+++ b/plans/upgrade.pp
@@ -135,13 +135,29 @@
 
   peadm::assert_supported_pe_version($_version, $permit_unsafe_versions)
 
+  # Gather certificate extension information from all systems
+  $cert_extensions_temp = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
+    $memo + { $result.target.peadm::certname => $result['extensions'] }
+  }
+
+  $compiler_missing_legacy_targets = $cert_extensions_temp.filter |$name,$exts| {
+    ($name in $compiler_targets.map |$t| { $t.name }) and (peadm::oid('peadm_legacy_compiler') in $exts and $exts[peadm::oid('peadm_legacy_compiler')] == undef)
+  }.keys
+
+  run_plan('peadm::modify_certificate', $compiler_missing_legacy_targets,
+    primary_host   => $primary_target,
+    add_extensions => {
+      peadm::oid('peadm_legacy_compiler') => 'false',
+    },
+  )
+
   # Gather certificate extension information from all systems
   $cert_extensions = run_task('peadm::cert_data', $all_targets).reduce({}) |$memo,$result| {
     $memo + { $result.target.peadm::certname => $result['extensions'] }
   }
 
   $convert_targets = $cert_extensions.filter |$name,$exts| {
-    ($name in $compiler_targets.map |$t| { $t.name }) and ($exts['pp_auth_role'] == undef)
+    ($name in $compiler_targets.map |$t| { $t.name }) and ('pp_auth_role' in $exts and $exts['pp_auth_role'] == undef)
   }.keys
 
   # Determine PE version currently installed on primary
@@ -151,8 +167,8 @@
 
   # Ensure needed trusted facts are available
   if $cert_extensions.any |$_,$cert| {
-    [peadm::oid('peadm_role'), 'pp_auth_role'].all |$ext| { $cert[$ext] == undef } or
-    $cert[peadm::oid('peadm_availability_group')] == undef
+    [peadm::oid('peadm_role'), 'pp_auth_role'].all |$ext| { $ext in $cert and $cert[$ext] == undef } or
+    (peadm::oid('peadm_availability_group') in $cert and $cert[peadm::oid('peadm_availability_group')] == undef)
   } {
 # lint:ignore:strict_indent
     fail_plan(@(HEREDOC/L))
diff --git a/spec/plans/upgrade_spec.rb b/spec/plans/upgrade_spec.rb
index 640e7c04..41852f01 100644
--- a/spec/plans/upgrade_spec.rb
+++ b/spec/plans/upgrade_spec.rb
@@ -28,7 +28,7 @@ def allow_standard_non_returning_calls
       .with_params('path' => '/opt/puppetlabs/server/pe_build')
       .always_return({ 'content' => '2021.7.3' })
 
-    expect_task('peadm::cert_data').return_for_targets('primary' => trusted_primary)
+    expect_task('peadm::cert_data').return_for_targets('primary' => trusted_primary).be_called_times(2)
 
     expect(run_plan('peadm::upgrade',
                     'primary_host' => 'primary',
@@ -44,7 +44,7 @@ def allow_standard_non_returning_calls
       .always_return({ 'content' => '2021.7.3' })
 
     expect_task('peadm::cert_data').return_for_targets('primary' => trusted_primary,
-                                                       'compiler' => trusted_compiler)
+                                                       'compiler' => trusted_compiler).be_called_times(2)
 
     expect(run_plan('peadm::upgrade',
                     'primary_host' => 'primary',
@@ -93,7 +93,7 @@ def allow_standard_non_returning_calls
         .with_params('path' => '/opt/puppetlabs/server/pe_build')
         .always_return({ 'content' => installed_version })
 
-      expect_task('peadm::cert_data').return_for_targets('primary' => trusted_primary)
+      expect_task('peadm::cert_data').return_for_targets('primary' => trusted_primary).be_called_times(2)
       expect_task('peadm::get_group_rules').return_for_targets('primary' => { '_output' => '{"rules": []}' })
     end