diff --git a/code/manifests/init.pp b/code/manifests/init.pp
index cb5018695259d7f7e1b43b559f60e44ea1793bbf..11b775749299a718513e4cc5b0f1bb290a8e03a3 100644
--- a/code/manifests/init.pp
+++ b/code/manifests/init.pp
@@ -33,6 +33,7 @@
 # @param oracle_support if set to true, ensures that the oracle RPM client libraries are installed
 # @param oracle_client_version version of the oracle RPM client libraries to install
 # @param tornado_processes number of processes tornado is going to spawn if the web app is used
+# @param extra_aliases extra aliases to include as subjectAltName in the host certificate
 #
 #
 # Although some parameters (like master_cs, master_config_name, extensions*, etc) could be part of the config_args,
@@ -53,7 +54,8 @@ class dirac (String $dirac_user = 'dirac', String $dirac_group = 'dirac',
             Hash $dirac_config_args = {},
             Boolean $oracle_support = false,
             String $oracle_client_version = '12.1',
-            Numeric $tornado_processes = 4){
+            Numeric $tornado_processes = 4,
+            Array $extra_aliases = []){
 
 
   # Retrieve the fully qualified name
@@ -89,22 +91,21 @@ class dirac (String $dirac_user = 'dirac', String $dirac_group = 'dirac',
     target => '/etc/grid-security/allCAs.pem',
   }
 
-
   # Collect the DNS alias to add them to the host certificate
-  if $facts['landb_ip_aliases'] {
-    # landb_ip_aliases are not FQDN
-    $aliases = split($facts['landb_ip_aliases'], ',')
-    $diraccertifalias = join(suffix($aliases, '.cern.ch'), ',')
-  }
-  else {
-    $diraccertifalias = ''
+  $ip_aliases = $facts['landb_ip_aliases'] ? {
+    undef   => [],                                  # no fact → empty list
+    default => split($facts['landb_ip_aliases'], ','),  # comma-separated
   }
+  $fqdn_ip_aliases = suffix($ip_aliases, '.cern.ch')
+  $all_aliases = $fqdn_ip_aliases + $extra_aliases
+  $san_string = join($all_aliases, ',')
+
   certmgr::certificate {'dirac perm':
     hostcert      => '/opt/dirac/etc/grid-security/hostcert.pem',
     hostkey       => '/opt/dirac/etc/grid-security/hostkey.pem',
     owner         => $dirac_user,
     group         => $dirac_group,
-    san           => $diraccertifalias,
+    san           => $san_string,
     hostkey_mode  => '0400',
     hostcert_mode => '0440',
     # require       => File['/opt/dirac/etc/grid-security/hostkey.pem'],