diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8accfa8b..96ba2577 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ All notable changes to this project will be documented in this file.
 ### Changed
 
 - Default to OCI for image metadata ([#544]).
+- [BREAKING] When using a fully qualified domain name, only the variant without the trailing dot is added to the SANs. This should only improve the behavior in scenarios where FQDNs are used and not affect anything else ([#564]).
 
 ### Fixed
 
@@ -29,6 +30,7 @@ All notable changes to this project will be documented in this file.
 [#548]: https://github.com/stackabletech/secret-operator/pull/548
 [#552]: https://github.com/stackabletech/secret-operator/pull/552
 [#563]: https://github.com/stackabletech/secret-operator/pull/563
+[#564]: https://github.com/stackabletech/secret-operator/pull/564
 
 ## [24.11.1] - 2025-01-10
 
diff --git a/docs/modules/secret-operator/pages/scope.adoc b/docs/modules/secret-operator/pages/scope.adoc
index 70ff91f0..e1d75380 100644
--- a/docs/modules/secret-operator/pages/scope.adoc
+++ b/docs/modules/secret-operator/pages/scope.adoc
@@ -59,5 +59,5 @@ For example, a TLS certificate provisioned by the xref:secretclass.adoc#backend-
 xref:#node[] and xref:#pod[] would contain the following values in its `subjectAlternateName` (SAN) extension field:
 
 * The node's IP address
-* The node's fully qualified domain name (`my-node.example.com`)
-* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local`)
+* The node's fully qualified domain name (`my-node.example.com`, without a trailing dot)
+* The pod's fully qualified domain name (`my-pod.my-service.my-namespace.svc.cluster.local`, without a trailing dot)
diff --git a/rust/operator-binary/src/backend/tls/mod.rs b/rust/operator-binary/src/backend/tls/mod.rs
index f479c09f..9ca2bc72 100644
--- a/rust/operator-binary/src/backend/tls/mod.rs
+++ b/rust/operator-binary/src/backend/tls/mod.rs
@@ -252,6 +252,14 @@ impl SecretBackend for TlsGenerate {
                     .context(ScopeAddressesSnafu { scope })?,
             );
         }
+        for address in &mut addresses {
+            if let Address::Dns(dns) = address {
+                // Turn FQDNs into bare domain names by removing the trailing dot
+                if dns.ends_with('.') {
+                    dns.pop();
+                }
+            }
+        }
         let ca = self
             .ca_manager
             .find_certificate_authority_for_signing(not_after)