diff --git a/README.md b/README.md
index b5e2a33fb1e39f5be67e0aa1e560e6095d3d5c20..a6be0f6e8c68e08b571a4354ef1d344a8818d239 100644
--- a/README.md
+++ b/README.md
@@ -64,4 +64,23 @@ cert_valid_days: 1095
 
 # The passphrase used for the CA file
 sidecar_ca_passphrase:
+```
+
+### SAN config
+
+To configure the SANs that will be added to the node certificates the following options
+are available. The FQDN and short name of the node will always be added. The settings
+below only apply to `IP` SAN entries.
+
+```yaml
+# Control the IP family to use
+use_ipv4: true
+use_ipv6: true
+
+# If set to true, the IP of the default route interface will be used
+use_default: true
+
+# If set to true, the IP of the provided interface name will be used
+use_interface_ip: false
+iface_name: ""
 ```
\ No newline at end of file
diff --git a/defaults/main.yml b/defaults/main.yml
index d1584830c9d4d70a3eec44f620a650efa65d9552..876c7e4d6d4d31d0babecb994b764e60a52c6b34 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -15,4 +15,12 @@ generate_node_certs: true
 tmp_cert_dir: "/tmp/graylog-sidecar-certs" # local directory
 gl_sidecar_ca_path: "/etc/graylog/sidecar"
 sidecar_cert_dir: "/etc/graylog/sidecar"
-cert_valid_days: 1095
\ No newline at end of file
+cert_valid_days: 1095
+
+# Cert SAN settings
+node_cert_sans: "{{ lookup('template', 'node-cert-sans.j2') }}"
+use_ipv4: true
+use_ipv6: true
+use_default: true
+use_interface_ip: false
+iface_name: ""
\ No newline at end of file
diff --git a/tasks/node-certs.yml b/tasks/node-certs.yml
index 87724e5ba50ca87db23c351d9a5c53f51dc4ce13..2f190396ac756e5328e9c9e56bf5af421c1190e7 100644
--- a/tasks/node-certs.yml
+++ b/tasks/node-certs.yml
@@ -39,11 +39,7 @@
       community.crypto.openssl_csr_pipe:
         privatekey_path: "{{ tmp_cert_dir }}/sidecar-{{ inventory_hostname }}.key"
         common_name: "{{ ansible_fqdn }}"  # CN
-        subject_alt_name:
-          - "DNS:{{ inventory_hostname }}"
-          - "DNS:{{ ansible_fqdn }}"
-          - "IP:{{ ansible_default_ipv6.address }}"
-          # - "IP:{{ ansible_default_ipv4.address }}"
+        subject_alt_name: "{{ node_cert_sans }}"
       register: "node_csr"
 
     - name: Node Certificates | Generate Certificates
diff --git a/templates/node-cert-sans.j2 b/templates/node-cert-sans.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c811ac57aca9a7a0e59c899d1cf59eee457adf24
--- /dev/null
+++ b/templates/node-cert-sans.j2
@@ -0,0 +1,24 @@
+{%- macro ansible_iface(name) -%}
+    ansible_{{name}}
+{%- endmacro -%}
+
+- "DNS:{{ inventory_hostname }}"
+- "DNS:{{ ansible_fqdn }}"
+{% if use_default == true -%}
+    {% if use_ipv4 == true and ansible_default_ipv4.address is defined -%}
+- "IP:{{ ansible_default_ipv4.address }}"
+    {% endif -%}
+    {% if use_ipv6 == true and ansible_default_ipv6.address is defined -%}
+- "IP:{{ ansible_default_ipv6.address }}"
+    {% endif -%}
+{% endif -%}
+{% if use_interface_ip == true -%}
+    {% if ansible_facts[ansible_iface(iface_name)] is defined -%}
+        {% if use_ipv4 == true and ansible_facts[ansible_iface(iface_name)].ipv4.address is defined -%}
+- "IP:{{ ansible_facts[ansible_iface(iface_name)].ipv6.address }}"
+        {% endif -%}
+        {% if use_ipv6 == true and ansible_facts[ansible_iface(iface_name)].ipv6.address is defined -%}
+- "IP:{{ ansible_facts[ansible_iface(iface_name)].ipv6.address }}"
+        {%- endif -%}
+    {%- endif-%}
+{%- endif -%}
\ No newline at end of file