diff --git a/roles/etcd/defaults/main.yml b/roles/etcd/defaults/main.yml
index e2b1b83c74b3b4dbf5774006dc3b0028686f731b..d53caea2277e9887e64fd277cfc4e5f5e0aead07 100644
--- a/roles/etcd/defaults/main.yml
+++ b/roles/etcd/defaults/main.yml
@@ -8,6 +8,13 @@ etcd_data_dir: "/var/lib/etcd"
 etcd_config_dir: /etc/ssl/etcd
 etcd_cert_dir: "{{ etcd_config_dir }}/ssl"
 etcd_cert_group: root
+# Note: This does not set up DNS entries. It simply adds the following DNS
+# entries to the certificate
+etcd_cert_alt_names:
+  - "etcd.{{ system_namespace }}.svc.{{ dns_domain }}"
+  - "etcd.{{ system_namespace }}.svc"
+  - "etcd.{{ system_namespace }}"
+  - "etcd"
 
 etcd_script_dir: "{{ bin_dir }}/etcd-scripts"
 
diff --git a/roles/etcd/tasks/gen_certs_vault.yml b/roles/etcd/tasks/gen_certs_vault.yml
index e8955cf70c51dabd1f0fa432d4e6b298853eb9bc..fae397356e78482a7f0fb99868dffe6cdb3acf79 100644
--- a/roles/etcd/tasks/gen_certs_vault.yml
+++ b/roles/etcd/tasks/gen_certs_vault.yml
@@ -13,7 +13,7 @@
 - include: ../../vault/tasks/shared/issue_cert.yml
   vars:
     issue_cert_common_name: "etcd:master:{{ item.rsplit('/', 1)[1].rsplit('.', 1)[0] }}"
-    issue_cert_alt_names: "{{ groups.etcd + ['localhost'] }}"
+    issue_cert_alt_names: "{{ groups['etcd'] + ['localhost'] + (etcd_cert_alt_names)|default() }}"
     issue_cert_copy_ca: "{{ item == etcd_master_certs_needed|first }}"
     issue_cert_file_group: "{{ etcd_cert_group }}"
     issue_cert_file_owner: kube
diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2
index c4a0d81c9292c3b8384ccbea611c3810c9446f04..f5970af8121d0e90540e176ca1aa9f100364ce03 100644
--- a/roles/etcd/templates/openssl.conf.j2
+++ b/roles/etcd/templates/openssl.conf.j2
@@ -31,6 +31,10 @@ DNS.{{ 1 + loop.index }} = {{ host }}
 {% set idx =  groups['etcd'] | length | int + 2 %}
 DNS.{{ idx | string }} = {{ apiserver_loadbalancer_domain_name }}
 {% endif %}
+{% set idx =  groups['etcd'] | length | int + 3 %}
+{%- for etcd_alt_name in etcd_cert_alt_names -%}
+DNS.{{ idx + 1 + loop.index }} = {{ etcd_alt_name }}
+{%- endfor -%}
 {% for host in groups['etcd'] %}
 IP.{{ 2 * loop.index - 1 }} = {{ hostvars[host]['access_ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}
 IP.{{ 2 * loop.index }} = {{ hostvars[host]['ip'] | default(hostvars[host]['ansible_default_ipv4']['address']) }}