diff --git a/roles/vault/defaults/main.yml b/roles/vault/defaults/main.yml
index 8916d4b3acc7f6a1d677c294c181eff816640a2f..2bbb0b9a267491adccb6720dd37dc6c28dd019ef 100644
--- a/roles/vault/defaults/main.yml
+++ b/roles/vault/defaults/main.yml
@@ -83,6 +83,11 @@ vault_ca_options:
     format: pem
     ttl: "{{ vault_max_lease_ttl }}"
     exclude_cn_from_sans: true
+    altnames:
+      - "vault.{{ system_namespace }}.svc.{{ dns_domain }}"
+      - "vault.{{ system_namespace }}.svc"
+      - "vault.{{ system_namespace }}"
+      - "vault"
   etcd:
     common_name: etcd
     format: pem
diff --git a/roles/vault/tasks/bootstrap/gen_vault_certs.yml b/roles/vault/tasks/bootstrap/gen_vault_certs.yml
index ce45385716ac4e0a5b21107968f3fe88ade4c2d4..8a82e5b6f55a3fe5a812bdef79664e60871b6db8 100644
--- a/roles/vault/tasks/bootstrap/gen_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/gen_vault_certs.yml
@@ -2,7 +2,7 @@
 - include: ../shared/issue_cert.yml
   vars:
     issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
-    issue_cert_alt_names: "{{ groups.vault + ['localhost'] }}"
+    issue_cert_alt_names: "{{ groups.vault + ['localhost'] + vault_ca_options.vault.altnames|default() }}"
     issue_cert_hosts: "{{ groups.vault }}"
     issue_cert_ip_sans: >-
         [