diff --git a/docs/docs/reference/configuration.md b/docs/docs/reference/configuration.md
index ca2140a4..e1c323fb 100644
--- a/docs/docs/reference/configuration.md
+++ b/docs/docs/reference/configuration.md
@@ -120,7 +120,7 @@ allowSchedulingOnControlPlanes: true
 <tr markdown="1">
 <td markdown="1">`additionalMachineCertSans`</td>
 <td markdown="1">[]string</td>
-<td markdown="1">Extra certificate SANs for the machine's certificate.<details><summary>*Show example*</summary>
+<td markdown="1">**DEPRECATED! Use node/node groups `extraMachineCertSans`**. Extra certificate SANs for the machine's certificate.<details><summary>*Show example*</summary>
 ```yaml
 additionalMachineCertSans:
   - 10.0.0.10
@@ -383,6 +383,17 @@ overrideExtraManifests: true
 <td markdown="1" align="center">`false`</td>
 <td markdown="1" align="center">:negative_squared_cross_mark:</td>
 </tr>
+<tr markdown="1">
+<td markdown="1">`overrideMachineCertSANs`</td>
+<td markdown="1">bool</td>
+<td markdown="1"><details><summary>Whether `certSANs` defined here should override the one defined in node group.</summary>By default they will get appended instead.</details><details><summary>*Show example*</summary>
+```yaml
+overrideMachineCertSANs: true
+```
+</summary></td>
+<td markdown="1" align="center">`false`</td>
+<td markdown="1" align="center">:negative_squared_cross_mark:</td>
+</tr>
 
 <tr markdown="1">
 <td markdown="1">-</td>
@@ -699,6 +710,20 @@ extraManifests:
 <td markdown="1" align="center">`[]`</td>
 <td markdown="1" align="center">:negative_squared_cross_mark:</td>
 </tr>
+<tr markdown="1">
+<td markdown="1">`certSANs`</td>
+<td markdown="1">[]string</td>
+<td markdown="1">Extra SANs in the machine's certificate.<details><summary>*Show example*</summary>
+```yaml
+certSANs:
+  - example.org
+  - 172.16.0.10
+  - 192.168.0.10
+```
+</details></td>
+<td markdown="1" align="center">`[]`</td>
+<td markdown="1" align="center">:negative_squared_cross_mark:</td>
+</tr>
 
 <tr markdown="1">
 <td markdown="1">`patches`</td>
diff --git a/pkg/config/config.go b/pkg/config/config.go
index d2016c10..c0fa2a8d 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -17,7 +17,7 @@ type TalhelperConfig struct {
 	Domain                         string                 `yaml:"domain,omitempty" jsonschema:"example=cluster.local,description=The domain to be used by Kubernetes DNS"`
 	AllowSchedulingOnMasters       bool                   `yaml:"allowSchedulingOnMasters,omitempty" jsonschema:"description=Whether to allow running workload on controlplane nodes"`
 	AllowSchedulingOnControlPlanes bool                   `yaml:"allowSchedulingOnControlPlanes,omitempty" jsonschema:"description=Whether to allow running workload on controlplane nodes. It is an alias to \"AllowSchedulingOnMasters\""`
-	AdditionalMachineCertSans      []string               `yaml:"additionalMachineCertSans,omitempty" jsonschema:"description=Extra certificate SANs for the machine's certificate"`
+	AdditionalMachineCertSans      []string               `yaml:"additionalMachineCertSans,omitempty" jsonschema:"description=DEPRECATED Use node/node groups extraMachineCertSans ! Extra certificate SANs for the machine's certificate"`
 	AdditionalApiServerCertSans    []string               `yaml:"additionalApiServerCertSans,omitempty" jsonschema:"description=Extra certificate SANs for the API server's certificate"`
 	ClusterInlineManifests         ClusterInlineManifests `yaml:"inlineManifests,omitempty" jsonschema:"description=A list of inline Kubernetes manifests for the cluster"`
 	ClusterPodNets                 []string               `yaml:"clusterPodNets,omitempty" jsonschema:"description=The pod subnet CIDR list"`
@@ -31,15 +31,16 @@ type TalhelperConfig struct {
 }
 
 type Node struct {
-	Hostname               string                        `yaml:"hostname" jsonschema:"required,description=Hostname of the node"`
-	IPAddress              string                        `yaml:"ipAddress,omitempty" jsonschema:"required,example=192.168.200.11,description=IP address where the node can be reached, can also be a comma separated IP addresses"`
-	ControlPlane           bool                          `yaml:"controlPlane" jsonschema:"description=Whether the node is a controlplane"`
-	InstallDisk            string                        `yaml:"installDisk,omitempty" jsonschema:"oneof_required=installDiskSelector,description=The disk used for installation"`
-	InstallDiskSelector    *v1alpha1.InstallDiskSelector `yaml:"installDiskSelector,omitempty" jsonschema:"oneof_required=installDisk,description=Look up disk used for installation"`
-	IgnoreHostname         bool                          `yaml:"ignoreHostname" jsonschema:"description=Whether to set \"machine.network.hostname\" to the generated config file"`
-	OverridePatches        bool                          `yaml:"overridePatches,omitempty" jsonschema:"description=Whether \"patches\" defined here should override the one defined in node group"`
-	OverrideExtraManifests bool                          `yaml:"overrideExtraManifests,omitempty" jsonschema:"description=Whether \"extraManifests\" defined here should override the one defined in node group"`
-	NodeConfigs            `yaml:",inline" jsonschema:"description=Node specific configurations that will override node group configurations"`
+	Hostname                string                        `yaml:"hostname" jsonschema:"required,description=Hostname of the node"`
+	IPAddress               string                        `yaml:"ipAddress,omitempty" jsonschema:"required,example=192.168.200.11,description=IP address where the node can be reached, can also be a comma separated IP addresses"`
+	ControlPlane            bool                          `yaml:"controlPlane" jsonschema:"description=Whether the node is a controlplane"`
+	InstallDisk             string                        `yaml:"installDisk,omitempty" jsonschema:"oneof_required=installDiskSelector,description=The disk used for installation"`
+	InstallDiskSelector     *v1alpha1.InstallDiskSelector `yaml:"installDiskSelector,omitempty" jsonschema:"oneof_required=installDisk,description=Look up disk used for installation"`
+	IgnoreHostname          bool                          `yaml:"ignoreHostname" jsonschema:"description=Whether to set \"machine.network.hostname\" to the generated config file"`
+	OverridePatches         bool                          `yaml:"overridePatches,omitempty" jsonschema:"description=Whether \"patches\" defined here should override the one defined in node group"`
+	OverrideExtraManifests  bool                          `yaml:"overrideExtraManifests,omitempty" jsonschema:"description=Whether \"extraManifests\" defined here should override the one defined in node group"`
+	OverrideMachineCertSANs bool                          `yaml:"overrideMachineCertSANs,omitempty" jsonschema:"description=Whether \"certSANs\" defined here should override the one defined in node group"`
+	NodeConfigs             `yaml:",inline" jsonschema:"description=Node specific configurations that will override node group configurations"`
 }
 
 type NodeConfigs struct {
@@ -53,6 +54,7 @@ type NodeConfigs struct {
 	Nameservers         []string                       `yaml:"nameservers,omitempty" jsonschema:"description=List of nameservers for the node"`
 	NetworkInterfaces   []*v1alpha1.Device             `yaml:"networkInterfaces,omitempty" jsonschema:"description=List of network interface configuration for the node"`
 	ExtraManifests      []string                       `yaml:"extraManifests,omitempty" jsonschema:"description=List of manifest files to be added to the node"`
+	CertSANs            []string                       `yaml:"certSANs,omitempty" jsonschema:"description=Additional certificate SANs to add to the machine certificate"`
 	Patches             []string                       `yaml:"patches,omitempty" jsonschema:"description=Patches to be applied to the node"`
 	TalosImageURL       string                         `yaml:"talosImageURL" jsonschema:"example=factory.talos.dev/installer/e9c7ef96884d4fbc8c0a1304ccca4bb0287d766a8b4125997cb9dbe84262144e,description=Talos installer image url for the node"`
 	NoSchematicValidate bool                           `yaml:"noSchematicValidate" jsonschema:"description=Whether to skip schematic validation"`
diff --git a/pkg/config/loader_test.go b/pkg/config/loader_test.go
index 404118ea..b25b990f 100644
--- a/pkg/config/loader_test.go
+++ b/pkg/config/loader_test.go
@@ -20,6 +20,7 @@ func TestLoadAndValidateFromFile(t *testing.T) {
 		ControlPlane: true,
 		InstallDisk:  "/dev/sda",
 		NodeConfigs: NodeConfigs{
+			CertSANs: []string{"example.net", "example.com"},
 			Schematic: &schematic.Schematic{
 				Customization: schematic.Customization{
 					SystemExtensions: schematic.SystemExtensions{
diff --git a/pkg/config/nodeconfigs.go b/pkg/config/nodeconfigs.go
index 0fa01f8d..efb3a6c2 100644
--- a/pkg/config/nodeconfigs.go
+++ b/pkg/config/nodeconfigs.go
@@ -5,12 +5,12 @@ import (
 )
 
 func (node *Node) OverrideGlobalCfg(cfg NodeConfigs) *Node {
-	node.NodeConfigs = mergeNodeConfigs(node.NodeConfigs, cfg, node.OverridePatches, node.OverrideExtraManifests)
+	node.NodeConfigs = mergeNodeConfigs(node.NodeConfigs, cfg, node.OverridePatches, node.OverrideExtraManifests, node.OverrideMachineCertSANs)
 
 	return node
 }
 
-func mergeNodeConfigs(patch, src NodeConfigs, overridePatches, overrideExtraManifest bool) NodeConfigs {
+func mergeNodeConfigs(patch, src NodeConfigs, overridePatches, overrideExtraManifest, overrideMachineCertSANs bool) NodeConfigs {
 	if len(src.Patches) > 0 && !overridePatches {
 		// global patches should get applied first
 		// https://github.com/budimanjojo/talhelper/issues/388
@@ -19,13 +19,16 @@ func mergeNodeConfigs(patch, src NodeConfigs, overridePatches, overrideExtraMani
 	if len(src.ExtraManifests) > 0 && !overrideExtraManifest {
 		patch.ExtraManifests = append(patch.ExtraManifests, src.ExtraManifests...)
 	}
+	if len(src.CertSANs) > 0 && !overrideMachineCertSANs {
+		patch.CertSANs = append(patch.CertSANs, src.CertSANs...)
+	}
 
 	patchValue := reflect.ValueOf(patch)
 	srcValue := reflect.ValueOf(src)
 
 	result := reflect.New(patchValue.Type()).Elem()
 
-	for i := 0; i < patchValue.NumField(); i++ {
+	for i := range patchValue.NumField() {
 		patchField := patchValue.Field(i)
 		srcField := srcValue.Field(i)
 
diff --git a/pkg/config/testdata/talconfig.yaml b/pkg/config/testdata/talconfig.yaml
index 21f62f85..ec37ae50 100644
--- a/pkg/config/testdata/talconfig.yaml
+++ b/pkg/config/testdata/talconfig.yaml
@@ -1,9 +1,12 @@
----
 clusterName: test-cluster
 endpoint: https://192.168.200.10:6443
+additionalMachineCertSans:
+  - example.org
 nodes:
   - hostname: ${HOSTNAME1}
     ipAddress: ${IP1}
+    certSANs:
+      - example.net
     installDisk: /dev/sda
     controlPlane: true
     schematic:
@@ -16,6 +19,8 @@ nodes:
     installDisk: /dev/sda
     controlPlane: false
 controlPlane:
+  certSANs:
+    - example.com
   disableSearchDomain: true
   schematic:
     customization:
diff --git a/pkg/talos/nodeconfig.go b/pkg/talos/nodeconfig.go
index ed451b57..2afa1aa1 100644
--- a/pkg/talos/nodeconfig.go
+++ b/pkg/talos/nodeconfig.go
@@ -133,6 +133,11 @@ func applyNodeOverride(node *config.Node, cfg taloscfg.Provider) taloscfg.Provid
 		cfg.RawV1Alpha1().MachineConfig.MachineInstall.InstallExtraKernelArgs = append(cfg.RawV1Alpha1().MachineConfig.MachineInstall.InstallExtraKernelArgs, node.Schematic.Customization.ExtraKernelArgs...)
 	}
 
+	if len(node.CertSANs) > 0 {
+		slog.Debug("appending extra machine certificate SANs")
+		cfg.RawV1Alpha1().MachineConfig.MachineCertSANs = append(cfg.RawV1Alpha1().MachineConfig.MachineCertSANs, node.CertSANs...)
+	}
+
 	return cfg
 }