diff --git a/lib/auth/trustedcluster.go b/lib/auth/trustedcluster.go
index acbc46dc4f281..7a5efc7528bbb 100644
--- a/lib/auth/trustedcluster.go
+++ b/lib/auth/trustedcluster.go
@@ -54,17 +54,21 @@ func (a *Server) UpsertTrustedCluster(ctx context.Context, tc types.TrustedClust
 	// It is recommended to omit trusted cluster name because the trusted cluster name
 	// is updated to the roots cluster name during the handshake with the root cluster.
 	var existingCluster types.TrustedCluster
-	var cas []types.CertAuthority
+	var foundTrustedCluster bool
 	if tc.GetName() != "" {
 		var err error
 		existingCluster, err = a.GetTrustedCluster(ctx, tc.GetName())
 		if err != nil && !trace.IsNotFound(err) {
 			return nil, trace.Wrap(err)
 		}
+
+		if err == nil {
+			foundTrustedCluster = true
+		}
 	}
 
 	// if there is no existing cluster, switch to the create case
-	if existingCluster == nil {
+	if !foundTrustedCluster {
 		return a.createTrustedCluster(ctx, tc)
 	}