diff --git a/pkg/cli/cmds/server.go b/pkg/cli/cmds/server.go
index 7e68f0b854..7dc3490d57 100644
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@@ -16,6 +16,7 @@ type Server struct {
 	DisableAgent     bool
 	KubeConfigOutput string
 	KubeConfigMode   string
+	KnownIPs cli.StringSlice
 }
 
 var ServerConfig Server
@@ -94,6 +95,11 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 				Destination: &ServerConfig.KubeConfigMode,
 				EnvVar:      "K3S_KUBECONFIG_MODE",
 			},
+			cli.StringSliceFlag{
+				Name:        "tls-san",
+				Usage:       "Add additional hostname or IP as a Subject Alternative Name in the TLS cert",
+				Value: &ServerConfig.KnownIPs,
+			},
 			NodeIPFlag,
 			NodeNameFlag,
 			DockerFlag,
diff --git a/pkg/cli/server/server.go b/pkg/cli/server/server.go
index 51958a6e55..23606ddeb9 100644
--- a/pkg/cli/server/server.go
+++ b/pkg/cli/server/server.go
@@ -77,7 +77,7 @@ func run(app *cli.Context, cfg *cmds.Server) error {
 	serverConfig.ControlConfig.KubeConfigMode = cfg.KubeConfigMode
 	serverConfig.TLSConfig.HTTPSPort = cfg.HTTPSPort
 	serverConfig.TLSConfig.HTTPPort = cfg.HTTPPort
-	serverConfig.TLSConfig.KnownIPs = knownIPs()
+	serverConfig.TLSConfig.KnownIPs = knownIPs(cfg.KnownIPs)
 
 	_, serverConfig.ControlConfig.ClusterIPRange, err = net2.ParseCIDR(cfg.ClusterCIDR)
 	if err != nil {
@@ -146,10 +146,8 @@ func run(app *cli.Context, cfg *cmds.Server) error {
 	return agent.Run(ctx, agentConfig)
 }
 
-func knownIPs() []string {
-	ips := []string{
-		"127.0.0.1",
-	}
+func knownIPs(ips []string) []string {
+	ips = append(ips, "127.0.0.1")
 	ip, err := net.ChooseHostInterface()
 	if err == nil {
 		ips = append(ips, ip.String())