diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
index bb2ab596930d0..f9358189ae093 100644
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@@ -87,6 +87,8 @@ type ClusterSpec struct {
 	// Note that DNSZone can either by the host name of the zone (containing dots),
 	// or can be an identifier for the zone.
 	DNSZone string `json:"dnsZone,omitempty"`
+	// AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates
+	AdditionalSANs []string `json:"additionalSans,omitempty"`
 	// ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local)
 	ClusterDNSDomain string `json:"clusterDNSDomain,omitempty"`
 	// ServiceClusterIPRange is the CIDR, from the internal network, where we allocate IPs for services
diff --git a/pkg/apis/kops/v1alpha1/cluster.go b/pkg/apis/kops/v1alpha1/cluster.go
index 1b55a0a123096..0ea8b11ed7d10 100644
--- a/pkg/apis/kops/v1alpha1/cluster.go
+++ b/pkg/apis/kops/v1alpha1/cluster.go
@@ -86,6 +86,8 @@ type ClusterSpec struct {
 	// Note that DNSZone can either by the host name of the zone (containing dots),
 	// or can be an identifier for the zone.
 	DNSZone string `json:"dnsZone,omitempty"`
+	// AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates
+	AdditionalSANs []string `json:"additionalSans,omitempty"`
 	// ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local)
 	ClusterDNSDomain string `json:"clusterDNSDomain,omitempty"`
 	// ClusterName is a unique identifier for the cluster, and currently must be a DNS name
diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
index 7e282f799cc1b..1dc8974492c00 100644
--- a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -587,6 +587,7 @@ func autoConvert_v1alpha1_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {
@@ -821,6 +822,7 @@ func autoConvert_kops_ClusterSpec_To_v1alpha1_ClusterSpec(in *kops.ClusterSpec,
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {
diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
index ca508e8580ccb..c11e0d9011013 100644
--- a/pkg/apis/kops/v1alpha2/cluster.go
+++ b/pkg/apis/kops/v1alpha2/cluster.go
@@ -84,6 +84,8 @@ type ClusterSpec struct {
 	// Note that DNSZone can either by the host name of the zone (containing dots),
 	// or can be an identifier for the zone.
 	DNSZone string `json:"dnsZone,omitempty"`
+	// AdditionalSANs adds additional Subject Alternate Names to apiserver cert that kops generates
+	AdditionalSANs []string `json:"additionalSans,omitempty"`
 	// ClusterDNSDomain is the suffix we use for internal DNS names (normally cluster.local)
 	ClusterDNSDomain string `json:"clusterDNSDomain,omitempty"`
 	// ServiceClusterIPRange is the CIDR, from the internal network, where we allocate IPs for services
diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
index c3bb46bcacf8f..fb2c0424a28af 100644
--- a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
+++ b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -633,6 +633,7 @@ func autoConvert_v1alpha2_ClusterSpec_To_kops_ClusterSpec(in *ClusterSpec, out *
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {
@@ -883,6 +884,7 @@ func autoConvert_kops_ClusterSpec_To_v1alpha2_ClusterSpec(in *kops.ClusterSpec,
 	out.Project = in.Project
 	out.MasterPublicName = in.MasterPublicName
 	out.MasterInternalName = in.MasterInternalName
+	out.AdditionalSANs = in.AdditionalSANs
 	out.NetworkCIDR = in.NetworkCIDR
 	out.NetworkID = in.NetworkID
 	if in.Topology != nil {
diff --git a/pkg/model/pki.go b/pkg/model/pki.go
index 059824a75d6c7..cd773c215efdf 100644
--- a/pkg/model/pki.go
+++ b/pkg/model/pki.go
@@ -206,6 +206,7 @@ func (b *PKIModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		// Names specified in the cluster spec
 		alternateNames = append(alternateNames, b.Cluster.Spec.MasterPublicName)
 		alternateNames = append(alternateNames, b.Cluster.Spec.MasterInternalName)
+		alternateNames = append(alternateNames, b.Cluster.Spec.AdditionalSANs...)
 
 		// Referencing it by internal IP should work also
 		{
diff --git a/tests/integration/conversion/minimal/v1alpha0.yaml b/tests/integration/conversion/minimal/v1alpha0.yaml
index 1721a7eeebd83..8aeb4d4b50707 100644
--- a/tests/integration/conversion/minimal/v1alpha0.yaml
+++ b/tests/integration/conversion/minimal/v1alpha0.yaml
@@ -20,6 +20,8 @@ spec:
   kubernetesVersion: v1.4.12
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kubenet: {}
diff --git a/tests/integration/conversion/minimal/v1alpha1.yaml b/tests/integration/conversion/minimal/v1alpha1.yaml
index d57fbc6f9fdc5..1de685e93cee3 100644
--- a/tests/integration/conversion/minimal/v1alpha1.yaml
+++ b/tests/integration/conversion/minimal/v1alpha1.yaml
@@ -27,6 +27,8 @@ spec:
   kubernetesVersion: v1.4.12
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kubenet: {}
diff --git a/tests/integration/conversion/minimal/v1alpha2.yaml b/tests/integration/conversion/minimal/v1alpha2.yaml
index adc5626969e08..ed36b9a33eb1c 100644
--- a/tests/integration/conversion/minimal/v1alpha2.yaml
+++ b/tests/integration/conversion/minimal/v1alpha2.yaml
@@ -27,6 +27,8 @@ spec:
   kubernetesVersion: v1.4.12
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kubenet: {}
diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/cluster.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/cluster.yaml
index 17a8df08428c6..651a5f4cdadff 100644
--- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/cluster.yaml
+++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/cluster.yaml
@@ -21,6 +21,8 @@ spec:
   kubernetesVersion: v1.4.6
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kopeio: {}
diff --git a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/cluster.yaml b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/cluster.yaml
index 33674de3c25c9..6af315229a648 100644
--- a/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/cluster.yaml
+++ b/upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/cluster.yaml
@@ -21,6 +21,8 @@ spec:
   kubernetesVersion: v1.4.6
   masterInternalName: api.internal.minimal.example.com
   masterPublicName: api.minimal.example.com
+  additionalSans:
+  - proxy.api.minimal.example.com
   networkCIDR: 172.20.0.0/16
   networking:
     kubenet: {}