diff --git a/confluent_server/confluent/selfservice.py b/confluent_server/confluent/selfservice.py
index 76be184e..ecda26d9 100644
--- a/confluent_server/confluent/selfservice.py
+++ b/confluent_server/confluent/selfservice.py
@@ -145,14 +145,30 @@ def handle_request(env, start_response):
             start_response('500 Unconfigured', ())
             yield 'CA is not configured on this system (run ...)'
             return
-        cert = sshutil.sign_host_key(reqbody, nodename)
+        dnsinfo = cfg.get_node_attributes(nodename, ('dns.*'))
+        dnsinfo = dnsinfo.get(nodename, {}).get('dns.domain', {}).get('value',
+                  None)
+        if dnsinfo in nodename:
+            dnsinfo = ''
+        cert = sshutil.sign_host_key(reqbody, nodename, [dnsinfo])
         start_response('200 OK', (('Content-Type', 'text/plain'),))
         yield cert
     elif env['PATH_INFO'] == '/self/nodelist':
         nodes = set(cfg.list_nodes())
+        domaininfo = cfg.get_node_attributes(nodes, 'dns.domain')
+        for node in list(util.natural_sort(nodes)):
+            domain = domaininfo.get(node, {}).get('dns.domain', {}).get(
+                'value', None)
+            if domain and domain not in node:
+                nodes.add('{0}.{1}'.format(node, domain))
         for mgr in configmanager.list_collective():
             nodes.add(mgr)
-        nodes.add(collective.get_myname())
+            if domain and domain not in mgr:
+                nodes.add('{0}.{1}'.format(mgr, domain))
+        myname = collective.get_myname()
+        nodes.add(myname)
+        if domain and domain not in myname:
+            nodes.add('{0}.{1}'.format(myname, domain))
         if isgeneric:
             start_response('200 OK', (('Content-Type', 'text/plain'),))
             for node in util.natural_sort(nodes):
diff --git a/confluent_server/confluent/sshutil.py b/confluent_server/confluent/sshutil.py
index efe79d7f..935b53f5 100644
--- a/confluent_server/confluent/sshutil.py
+++ b/confluent_server/confluent/sshutil.py
@@ -41,15 +41,19 @@ def initialize_ca():
     #    newent = '@cert-authority * ' + capub.read()
 
 
-def sign_host_key(pubkey, nodename):
+def sign_host_key(pubkey, nodename, domains=()):
     tmpdir = tempfile.mkdtemp()
     try:
         pkeyname = os.path.join(tmpdir, 'hostkey.pub')
         with open(pkeyname, 'wb') as pubfile:
             pubfile.write(pubkey)
+        principals = [nodename]
+        for domain in domains:
+            principals.append('{0}.{1}'.format(nodename, domain))
+        principals = ','.join(principals)
         subprocess.check_call(
             ['ssh-keygen', '-s', '/etc/confluent/ssh/ca', '-I', nodename,
-             '-n', nodename, '-h', pkeyname])
+             '-n', principals, '-h', pkeyname])
         certname = pkeyname.replace('.pub', '-cert.pub')
         with open(certname) as cert:
             return cert.read()
@@ -95,4 +99,4 @@ if __name__ == '__main__':
     initialize_root_key(True)
     if not ca_exists():
         initialize_ca()
-    print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))
\ No newline at end of file
+    print(repr(sign_host_key(open('/etc/ssh/ssh_host_ed25519_key.pub').read(), collective.get_myname())))