diff --git a/coordinator/meshapi.go b/coordinator/meshapi.go
index 50a0ad838b..9854449799 100644
--- a/coordinator/meshapi.go
+++ b/coordinator/meshapi.go
@@ -128,17 +128,21 @@ func (i *meshAPIServer) NewMeshCert(ctx context.Context, _ *meshapi.NewMeshCertR
 		return nil, fmt.Errorf("failed to issue new attested mesh cert: %w", err)
 	}
 
-	workloadSecret, err := seedEngine.DeriveWorkloadSecret(entry.WorkloadSecretID)
-	if err != nil {
-		return nil, fmt.Errorf("failed to derive workload secret: %w", err)
+	resp := &meshapi.NewMeshCertResponse{
+		MeshCACert: state.CA.GetMeshCACert(),
+		CertChain:  append(cert, state.CA.GetIntermCACert()...),
+		RootCACert: state.CA.GetRootCACert(),
+	}
+
+	if entry.WorkloadSecretID != "" {
+		workloadSecret, err := seedEngine.DeriveWorkloadSecret(entry.WorkloadSecretID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to derive workload secret: %w", err)
+		}
+		resp.WorkloadSecret = workloadSecret
 	}
 
-	return &meshapi.NewMeshCertResponse{
-		MeshCACert:     state.CA.GetMeshCACert(),
-		CertChain:      append(cert, state.CA.GetIntermCACert()...),
-		RootCACert:     state.CA.GetRootCACert(),
-		WorkloadSecret: workloadSecret,
-	}, nil
+	return resp, nil
 }
 
 type seedEngineGetter interface {
diff --git a/e2e/workloadsecret/workloadsecret_test.go b/e2e/workloadsecret/workloadsecret_test.go
index 6f266055fa..b081729f27 100644
--- a/e2e/workloadsecret/workloadsecret_test.go
+++ b/e2e/workloadsecret/workloadsecret_test.go
@@ -154,6 +154,26 @@ func TestWorkloadSecrets(t *testing.T) {
 		require.Len(webWorkloadSecretBytes, constants.SecretSeedSize)
 		require.Equal(webWorkloadSecretBytes, emojiWorkloadSecretBytes)
 	})
+
+	t.Run("workload secrets are not created if not configured in the manifest", func(t *testing.T) {
+		require := require.New(t)
+		ctx, cancel := context.WithTimeout(context.Background(), ct.FactorPlatformTimeout(60*time.Second))
+		defer cancel()
+
+		ct.PatchManifest(t, patchWorkloadSecretID("web", ""))
+
+		t.Run("set", ct.Set)
+		require.NoError(ct.Kubeclient.Restart(ctx, kubeclient.Deployment{}, ct.Namespace, "web"))
+		require.NoError(ct.Kubeclient.WaitFor(ctx, kubeclient.Ready, kubeclient.Deployment{}, ct.Namespace, "web"))
+
+		webPods, err = ct.Kubeclient.PodsFromDeployment(ctx, ct.Namespace, "web")
+		require.NoError(err)
+		require.Len(webPods, 2, "pod not found: %s/%s", ct.Namespace, "web")
+
+		stdout, stderr, err := ct.Kubeclient.Exec(ctx, ct.Namespace, webPods[0].Name, []string{"/bin/sh", "-c", "test ! -f /contrast/secrets/workload-secret-seed"})
+		require.NoError(err, "stderr: %q", stderr)
+		require.Empty(stdout)
+	})
 }
 
 // patchWorkloadSecretID returns a PatchManifestFunc which overwrites the expectedWorkloadSecretID with the patchWorkloadSecretID
diff --git a/initializer/main.go b/initializer/main.go
index 7235a49067..b58785dc56 100644
--- a/initializer/main.go
+++ b/initializer/main.go
@@ -127,9 +127,12 @@ func run() (retErr error) {
 	if err != nil {
 		return fmt.Errorf("writing coordinator-root-ca.pem: %w", err)
 	}
-	err = os.WriteFile("/contrast/secrets/workload-secret-seed", []byte(hex.EncodeToString(resp.WorkloadSecret)), 0o400)
-	if err != nil {
-		return fmt.Errorf("writing workload-secret-seed: %w", err)
+
+	if len(resp.WorkloadSecret) > 0 {
+		err = os.WriteFile("/contrast/secrets/workload-secret-seed", []byte(hex.EncodeToString(resp.WorkloadSecret)), 0o400)
+		if err != nil {
+			return fmt.Errorf("writing workload-secret-seed: %w", err)
+		}
 	}
 
 	log.Info("Initializer done")