diff --git a/docs/user/labels.md b/docs/user/labels.md
index 5f2637c1..556e8060 100644
--- a/docs/user/labels.md
+++ b/docs/user/labels.md
@@ -168,6 +168,11 @@ is often accomplished by deploying a driver on each node.
 
 ## Kubernetes
 
+* `api_server_cert_sans`
+
+   Specify the additional Subject Alternative Names (SANs) for the Kubernetes API Server,
+   separated by commas.
+
 * `api_server_tls_cipher_suites`
 
    Specify the list of TLS cipher suites to use for the Kubernetes API server,
diff --git a/magnum_cluster_api/resources.py b/magnum_cluster_api/resources.py
index 519c5854..8f5538f1 100644
--- a/magnum_cluster_api/resources.py
+++ b/magnum_cluster_api/resources.py
@@ -1183,6 +1183,15 @@ def get_object(self) -> objects.ClusterClass:
                                 },
                             },
                         },
+                        {
+                            "name": "apiServerSANs",
+                            "required": True,
+                            "schema": {
+                                "openAPIV3Schema": {
+                                    "type": "string",
+                                },
+                            },
+                        },
                         {
                             "name": "nodeCidr",
                             "required": True,
@@ -2050,6 +2059,7 @@ def get_object(self) -> objects.ClusterClass:
                                                     - {{ .builtin.cluster.name }}.{{ .builtin.cluster.namespace }}
                                                     - {{ .builtin.cluster.name }}.{{ .builtin.cluster.namespace }}.svc
                                                     - {{ .builtin.cluster.name }}.{{ .builtin.cluster.namespace }}.svc.cluster.local # noqa: E501
+                                                    {{ .apiServerSANs }}
                                                     """
                                                 ),
                                             },
@@ -2624,6 +2634,10 @@ def get_object(self) -> objects.Cluster:
                                     "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",  # noqa: E501
                                 ),
                             },
+                            {
+                                "name": "apiServerSANs",
+                                "value": utils.generate_api_cert_san_list(self.cluster),
+                            },
                             {
                                 "name": "nodeCidr",
                                 "value": self.cluster.labels.get(
diff --git a/magnum_cluster_api/utils.py b/magnum_cluster_api/utils.py
index 881ce5c4..efe32735 100644
--- a/magnum_cluster_api/utils.py
+++ b/magnum_cluster_api/utils.py
@@ -483,3 +483,11 @@ def kube_apply_patch(resource):
 
     resource.api.raise_for_status(resp)
     resource.set_obj(resp.json())
+
+
+def generate_api_cert_san_list(cluster: magnum_objects.Cluster):
+    cert_sans = cluster.labels.get("api_server_cert_sans", "")
+    additional_cert_sans_list = cert_sans.split(",")
+
+    # Add the additional cert SANs to the template
+    return "\n".join(f"- {san}" for san in additional_cert_sans_list if san)