diff --git a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs
index 9fa8640..17b33cb 100644
--- a/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs
+++ b/src/ZB.MOM.WW.MxGateway.Server/Security/Tls/SelfSignedCertificateProvider.cs
@@ -1,4 +1,5 @@
 using System.Net;
+using System.Net.Sockets;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using Microsoft.Extensions.Logging;
@@ -55,6 +56,21 @@ public sealed class SelfSignedCertificateProvider
             san.AddDnsName(machine);
         }
 
+        // Best-effort: add the machine FQDN when it differs from the short name and "localhost".
+        // GetHostEntry may fail if DNS is unavailable; skip silently in that case.
+        try
+        {
+            string fqdn = Dns.GetHostEntry(machine).HostName;
+            if (!string.IsNullOrWhiteSpace(fqdn)
+                && !fqdn.Equals("localhost", StringComparison.OrdinalIgnoreCase)
+                && !fqdn.Equals(machine, StringComparison.OrdinalIgnoreCase))
+            {
+                san.AddDnsName(fqdn);
+            }
+        }
+        catch (SocketException) { /* DNS not resolvable — FQDN SAN is optional */ }
+        catch (ArgumentException) { /* invalid host name — skip */ }
+
         foreach (string extra in _options.AdditionalDnsNames)
         {
             if (!string.IsNullOrWhiteSpace(extra))