That would be correct.  Although generally, I'd lean towards creating a new master key on the secondary server, then restore the TDE certificate using that new master key.  It'll still be able to decrypt your TDE backups.

However, and bear in mind I don't use log shipping, it's entirely possible you're going to need to "re-seed" your secondary from a fresh, TDE-protected full database backup.  I'd even guess it's going to be required.  You *might* be able to sneak around that by restoring the certificate to the secondary, then enabling TDE on the secondary database using the certificate.