diff --git a/cli/command/swarm/ca.go b/cli/command/swarm/ca.go
index 59974ac644..afd2b047bb 100644
--- a/cli/command/swarm/ca.go
+++ b/cli/command/swarm/ca.go
@@ -96,7 +96,7 @@ func runCA(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet, opt
 func updateSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, opts caOptions) {
 	caCert := opts.rootCACert.Contents()
 	caKey := opts.rootCAKey.Contents()
-	opts.mergeSwarmSpecCAFlags(spec, flags, caCert)
+	opts.mergeSwarmSpecCAFlags(spec, flags, &caCert)
 
 	spec.CAConfig.SigningCACert = caCert
 	spec.CAConfig.SigningCAKey = caKey
diff --git a/cli/command/swarm/init_test.go b/cli/command/swarm/init_test.go
index 0d62cd7d56..b0e2decf0e 100644
--- a/cli/command/swarm/init_test.go
+++ b/cli/command/swarm/init_test.go
@@ -150,7 +150,7 @@ func TestSwarmInitWithExternalCA(t *testing.T) {
 
 	tempDir := t.TempDir()
 	certFile := filepath.Join(tempDir, "cert.pem")
-	err := os.WriteFile(certFile, []byte(cert), 0644)
+	err := os.WriteFile(certFile, []byte(cert), 0o644)
 	assert.NilError(t, err)
 
 	cmd := newInitCommand(cli)
diff --git a/cli/command/swarm/opts.go b/cli/command/swarm/opts.go
index a29a67147c..41a0244ed4 100644
--- a/cli/command/swarm/opts.go
+++ b/cli/command/swarm/opts.go
@@ -231,7 +231,7 @@ func addSwarmFlags(flags *pflag.FlagSet, options *swarmOptions) {
 	addSwarmCAFlags(flags, &options.swarmCAOptions)
 }
 
-func (o *swarmOptions) mergeSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
+func (o *swarmOptions) mergeSwarmSpec(spec *swarm.Spec, flags *pflag.FlagSet, caCert *string) {
 	if flags.Changed(flagTaskHistoryLimit) {
 		spec.Orchestration.TaskHistoryRetentionLimit = &o.taskHistoryLimit
 	}
@@ -255,20 +255,24 @@ type swarmCAOptions struct {
 	externalCA     ExternalCAOption
 }
 
-func (o *swarmCAOptions) mergeSwarmSpecCAFlags(spec *swarm.Spec, flags *pflag.FlagSet, caCert string) {
+func (o *swarmCAOptions) mergeSwarmSpecCAFlags(spec *swarm.Spec, flags *pflag.FlagSet, caCert *string) {
 	if flags.Changed(flagCertExpiry) {
 		spec.CAConfig.NodeCertExpiry = o.nodeCertExpiry
 	}
 	if flags.Changed(flagExternalCA) {
 		spec.CAConfig.ExternalCAs = o.externalCA.Value()
-		for _, ca := range spec.CAConfig.ExternalCAs {
-			ca.CACert = caCert
+		if caCert != nil {
+			for _, ca := range spec.CAConfig.ExternalCAs {
+				if ca.CACert == "" {
+					ca.CACert = *caCert
+				}
+			}
 		}
 	}
 }
 
 func (o *swarmOptions) ToSpec(flags *pflag.FlagSet) swarm.Spec {
 	var spec swarm.Spec
-	o.mergeSwarmSpec(&spec, flags, "")
+	o.mergeSwarmSpec(&spec, flags, nil)
 	return spec
 }
diff --git a/cli/command/swarm/update.go b/cli/command/swarm/update.go
index 50ddc17b1a..2e853a9312 100644
--- a/cli/command/swarm/update.go
+++ b/cli/command/swarm/update.go
@@ -53,7 +53,7 @@ func runUpdate(ctx context.Context, dockerCli command.Cli, flags *pflag.FlagSet,
 
 	prevAutoLock := swarmInspect.Spec.EncryptionConfig.AutoLockManagers
 
-	opts.mergeSwarmSpec(&swarmInspect.Spec, flags, swarmInspect.ClusterInfo.TLSInfo.TrustRoot)
+	opts.mergeSwarmSpec(&swarmInspect.Spec, flags, &swarmInspect.ClusterInfo.TLSInfo.TrustRoot)
 
 	curAutoLock := swarmInspect.Spec.EncryptionConfig.AutoLockManagers