diff --git a/README.md b/README.md
index 0605ea7..41a0b2d 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,7 @@ The following code snippet is taken from the Gatekeeper project:
 			CAName:         caName,
 			CAOrganization: caOrganization,
 			DNSName:        dnsName,
+			ExtraDNSNames:  extraDnsNames,
 			IsReady:        setupFinished,
 			VWHName:        vwhName,
 		}); err != nil {
diff --git a/pkg/rotator/rotator.go b/pkg/rotator/rotator.go
index a8f9ee8..9815ad3 100644
--- a/pkg/rotator/rotator.go
+++ b/pkg/rotator/rotator.go
@@ -168,6 +168,7 @@ type CertRotator struct {
 	CAName                 string
 	CAOrganization         string
 	DNSName                string
+	ExtraDNSNames          []string
 	IsReady                chan struct{}
 	Webhooks               []WebhookInfo
 	RestartOnSecretRefresh bool
@@ -475,14 +476,14 @@ func (cr *CertRotator) CreateCACert(begin, end time.Time) (*KeyPairArtifacts, er
 // CreateCertPEM takes the results of CreateCACert and uses it to create the
 // PEM-encoded public certificate and private key, respectively
 func (cr *CertRotator) CreateCertPEM(ca *KeyPairArtifacts, begin, end time.Time) ([]byte, []byte, error) {
+	dnsNames := []string{cr.DNSName}
+	dnsNames = append(dnsNames, cr.ExtraDNSNames...)
 	templ := &x509.Certificate{
 		SerialNumber: big.NewInt(1),
 		Subject: pkix.Name{
 			CommonName: cr.DNSName,
 		},
-		DNSNames: []string{
-			cr.DNSName,
-		},
+		DNSNames:              dnsNames,
 		NotBefore:             begin,
 		NotAfter:              end,
 		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
diff --git a/pkg/rotator/rotator_test.go b/pkg/rotator/rotator_test.go
index 2863bad..afefc59 100644
--- a/pkg/rotator/rotator_test.go
+++ b/pkg/rotator/rotator_test.go
@@ -26,6 +26,9 @@ var (
 		CAName:         "ca",
 		CAOrganization: "org",
 		DNSName:        "service.namespace",
+		ExtraDNSNames: []string{
+			"other-service.namespace",
+		},
 		ExtKeyUsages: &[]x509.ExtKeyUsage{
 			x509.ExtKeyUsageClientAuth,
 			x509.ExtKeyUsageServerAuth,
@@ -48,7 +51,12 @@ func TestCertSigning(t *testing.T) {
 	}
 
 	if !cr.validServerCert(caArtifacts.CertPEM, cert, key) {
-		t.Error("Generated cert is not valid")
+		t.Error("Generated cert is not valid for common name")
+	}
+
+	valid, err := ValidCert(caArtifacts.CertPEM, cert, key, cr.ExtraDNSNames[0], cr.ExtKeyUsages, lookaheadTime())
+	if err != nil || !valid {
+		t.Error("Generated cert is not valid for ExtraDnsName")
 	}
 }