diff --git a/cmd/kops-controller/pkg/server/server.go b/cmd/kops-controller/pkg/server/server.go
index db6f91f336..21d9c1d2c6 100644
--- a/cmd/kops-controller/pkg/server/server.go
+++ b/cmd/kops-controller/pkg/server/server.go
@@ -179,6 +179,7 @@ func (s *Server) issueCert(name string, pubKey string, id *fi.VerifyResult, vali
 		issueReq.Subject = pkix.Name{
 			CommonName: id.NodeName,
 		}
+		issueReq.AlternateNames = []string{id.NodeName}
 		issueReq.Type = "server"
 	case "kube-proxy":
 		issueReq.Subject = pkix.Name{
diff --git a/nodeup/pkg/model/kubelet.go b/nodeup/pkg/model/kubelet.go
index e9a3990fc3..caad3c40c4 100644
--- a/nodeup/pkg/model/kubelet.go
+++ b/nodeup/pkg/model/kubelet.go
@@ -233,8 +233,8 @@ func (b *KubeletBuilder) buildSystemdEnvironmentFile(kubeletConfig *kops.Kubelet
 	}
 
 	if b.UseKopsControllerForNodeBootstrap() {
-		flags += " --tls-cert-file " + b.PathSrvKubernetes() + "/kubelet-server.crt"
-		flags += " --tls-private-key-file " + b.PathSrvKubernetes() + "/kubelet-server.key"
+		flags += " --tls-cert-file=" + b.PathSrvKubernetes() + "/kubelet-server.crt"
+		flags += " --tls-private-key-file=" + b.PathSrvKubernetes() + "/kubelet-server.key"
 	}
 
 	sysconfig := "DAEMON_ARGS=\"" + flags + "\"\n"
@@ -587,6 +587,7 @@ func (b *KubeletBuilder) buildKubeletServingCertificate(c *fi.ModelBuilderContex
 				Subject: nodetasks.PKIXName{
 					CommonName: nodeName,
 				},
+				AlternateNames: []string{nodeName},
 			}
 			c.AddTask(issueCert)
 			return issueCert.AddFileTasks(c, dir, name, "", nil)