diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml
index 50bbee230..e09c83ce1 100644
--- a/inventory/group_vars/k8s-cluster.yml
+++ b/inventory/group_vars/k8s-cluster.yml
@@ -15,6 +15,7 @@ bin_dir: /usr/local/bin
 kube_config_dir: /etc/kubernetes
 kube_script_dir: "{{ bin_dir }}/kubernetes-scripts"
 kube_manifest_dir: "{{ kube_config_dir }}/manifests"
+kube_crt_tmp_dir: "/var/tmp/kubecrt"
 system_namespace: kube-system
 
 # Logging directory (sysvinit systems)
diff --git a/roles/kubernetes/node/templates/kubelet.j2 b/roles/kubernetes/node/templates/kubelet.j2
index 8ec348a05..03adad3ad 100644
--- a/roles/kubernetes/node/templates/kubelet.j2
+++ b/roles/kubernetes/node/templates/kubelet.j2
@@ -12,6 +12,8 @@ KUBELET_HOSTNAME="--hostname-override={{ ansible_hostname }}"
 {% set kubelet_args_base %}--pod-manifest-path={{ kube_manifest_dir }} \
 --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_image_tag }} \
 --kube-reserved cpu={{ kubelet_cpu_limit }},memory={{ kubelet_memory_limit|regex_replace('Mi', 'M') }} \
+--tls-cert-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}.pem \
+--tls-private-key-file={{ kube_cert_dir }}/node-{{ inventory_hostname }}-key.pem \
 --node-status-update-frequency={{ kubelet_status_update_frequency }}{% endset %}
 
 {# DNS settings for kubelet #}
diff --git a/roles/kubernetes/secrets/files/make-ssl.sh b/roles/kubernetes/secrets/files/make-ssl.sh
index 3cea6d79e..3a8b298d0 100755
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -96,8 +96,16 @@ if [ -n "$HOSTS" ]; then
         cn="${host%%.*}"
         # node key
         openssl genrsa -out node-${host}-key.pem 2048 > /dev/null 2>&1
-        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" > /dev/null 2>&1
-        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 > /dev/null 2>&1
+        # Let's add SAN if needed
+        if [ -e "${CRT_TMP_DIR}/${host}.san" ]; then
+          CSR_OPTS="-config ${CRT_TMP_DIR}/${host}.san"
+          CRT_OPTS="-extensions v3_req -extfile ${CRT_TMP_DIR}/${host}.san"
+        else
+          CSR_OPTS=""
+          CRT_OPTS=""
+        fi
+        openssl req -new -key node-${host}-key.pem -out node-${host}.csr -subj "/CN=kube-node-${cn}" $CSR_OPTS > /dev/null 2>&1
+        openssl x509 -req -in node-${host}.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out node-${host}.pem -days 3650 $CRT_OPTS > /dev/null 2>&1
     done
 fi
 
diff --git a/roles/kubernetes/secrets/tasks/gen_certs_script.yml b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
index 4a9188065..c7d54f1ea 100644
--- a/roles/kubernetes/secrets/tasks/gen_certs_script.yml
+++ b/roles/kubernetes/secrets/tasks/gen_certs_script.yml
@@ -19,6 +19,16 @@
   tags: [k8s-secrets, bootstrap-os]
   when: gen_certs|default(false)
 
+- name: "Gen_certs | Create kubernetes cert temp directory (on {{groups['kube-master'][0]}})"
+  file:
+    path: "{{ kube_crt_tmp_dir }}"
+    state: directory
+    owner: kube
+  run_once: yes
+  delegate_to: "{{groups['kube-master'][0]}}"
+  tags: [k8s-secrets, bootstrap-os]
+  when: gen_certs|default(false)
+
 - name: Gen_certs | write openssl config
   template:
     src: "openssl.conf.j2"
@@ -27,6 +37,13 @@
   delegate_to: "{{groups['kube-master'][0]}}"
   when: gen_certs|default(false)
 
+- name: Gen_certs | write SubjectAltNames file
+  template:
+    src: "openssl-san.j2"
+    dest: "{{ kube_crt_tmp_dir }}/{{ inventory_hostname }}.san"
+  delegate_to: "{{groups['kube-master'][0]}}"
+  when: gen_certs|default(false)
+
 - name: Gen_certs | copy certs generation script
   copy:
     src: "make-ssl.sh"
@@ -49,6 +66,7 @@
                     {{ h }}
                 {% endif %}
               {% endfor %}"
+    - CRT_TMP_DIR: "{{ kube_crt_tmp_dir }}"
   run_once: yes
   delegate_to: "{{groups['kube-master'][0]}}"
   when: gen_certs|default(false)
@@ -74,6 +92,7 @@
                     'node-{{ node }}-key.pem',
                     {% endfor %}]"
     my_node_certs: ['ca.pem', 'node-{{ inventory_hostname }}.pem', 'node-{{ inventory_hostname }}-key.pem']
+
   tags: facts
 
 - name: Gen_certs | Gather master certs
diff --git a/roles/kubernetes/secrets/templates/openssl-san.j2 b/roles/kubernetes/secrets/templates/openssl-san.j2
new file mode 100644
index 000000000..2d50bd330
--- /dev/null
+++ b/roles/kubernetes/secrets/templates/openssl-san.j2
@@ -0,0 +1,18 @@
+[req]
+req_extensions = v3_req
+distinguished_name = req_distinguished_name
+
+[req_distinguished_name]
+
+[v3_req]
+basicConstraints = CA:FALSE
+keyUsage = digitalSignature, keyEncipherment
+subjectAltName = @alt_names
+
+[alt_names]
+DNS.1 = localhost
+DNS.2 = {{ ansible_hostname }}
+DNS.3 = {{ inventory_hostname }}
+IP.1 = 127.0.0.1
+IP.2 = {{ access_ip | default(ansible_default_ipv4['address']) }}
+IP.3 = {{ ip | default(ansible_default_ipv4['address']) }}