diff --git a/roles/vault/tasks/bootstrap/gen_vault_certs.yml b/roles/vault/tasks/bootstrap/gen_vault_certs.yml
index d542ef8454a09600b9147324d03635e6a2a57346..57397901a0366eaf76e4d7340bbdf37750748f0d 100644
--- a/roles/vault/tasks/bootstrap/gen_vault_certs.yml
+++ b/roles/vault/tasks/bootstrap/gen_vault_certs.yml
@@ -2,11 +2,11 @@
 - include: ../shared/issue_cert.yml
   vars:
     issue_cert_common_name: "{{ vault_pki_mounts.vault.roles[0].name }}"
-    issue_cert_alt_names: "{{ groups.vault + ['localhost'] + vault_ca_options.vault.alt_names|default() }}"
-    issue_cert_hosts: "{{ groups.vault }}"
+    issue_cert_alt_names: "{{ groups['vault'] + ['localhost'] + vault_ca_options.vault.alt_names|default() | join(',') }}"
+    issue_cert_hosts: "{{ groups['vault'] }}"
     issue_cert_ip_sans: >-
         [
-        {%- for host in groups.vault -%}
+        {%- for host in groups['vault'] -%}
         "{{ hostvars[host]['ansible_default_ipv4']['address'] }}",
         {%- if hostvars[host]['ip'] is defined -%}
         "{{ hostvars[host]['ip'] }}",