diff --git a/internal/certauthority/kubecertauthority/kubecertauthority_test.go b/internal/certauthority/kubecertauthority/kubecertauthority_test.go
index 29e94c971..fa9bcb5c2 100644
--- a/internal/certauthority/kubecertauthority/kubecertauthority_test.go
+++ b/internal/certauthority/kubecertauthority/kubecertauthority_test.go
@@ -215,9 +215,6 @@ func TestCA(t *testing.T) {
 					// Tick the timer and wait for another refresh loop to complete.
 					fakeTicker <- time.Now()
 
-					r.Equal(1, callbacks.NumberOfTimesSuccessCalled())
-					r.Equal(0, callbacks.NumberOfTimesFailureCalled())
-
 					// Eventually it starts issuing certs using the new signing key.
 					var secondCertPEM, secondKeyPEM string
 					r.Eventually(func() bool {
@@ -243,6 +240,9 @@ func TestCA(t *testing.T) {
 						return err == nil
 					}, 5*time.Second, 100*time.Millisecond)
 
+					r.Equal(2, callbacks.NumberOfTimesSuccessCalled())
+					r.Equal(0, callbacks.NumberOfTimesFailureCalled())
+
 					validCert2 := testutil.ValidateCertificate(t, fakeCert2PEM, secondCertPEM)
 					validCert2.RequireDNSName("example.com")
 					validCert2.RequireLifetime(time.Now(), time.Now().Add(15*time.Minute), 6*time.Minute)