diff --git a/pkg/server/cert/syncer.go b/pkg/server/cert/syncer.go
index 65019789b8..15264c5180 100644
--- a/pkg/server/cert/syncer.go
+++ b/pkg/server/cert/syncer.go
@@ -9,9 +9,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/loft-sh/vcluster/pkg/config"
 	"github.com/loft-sh/vcluster/pkg/constants"
 	"github.com/loft-sh/vcluster/pkg/controllers/resources/nodes/nodeservice"
+	"github.com/loft-sh/vcluster/pkg/syncer/synccontext"
 	"github.com/loft-sh/vcluster/pkg/util/translate"
 	corev1 "k8s.io/api/core/v1"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
@@ -33,27 +33,31 @@ type Syncer interface {
 	dynamiccertificates.CertKeyContentProvider
 }
 
-func NewSyncer(_ context.Context, currentNamespace string, currentNamespaceClient client.Client, options *config.VirtualClusterConfig) (Syncer, error) {
+func NewSyncer(ctx *synccontext.ControllerContext) (Syncer, error) {
 	return &syncer{
-		clusterDomain: options.Networking.Advanced.ClusterDomain,
+		clusterDomain: ctx.Config.Networking.Advanced.ClusterDomain,
 
-		serverCaKey:  options.VirtualClusterKubeConfig().ServerCAKey,
-		serverCaCert: options.VirtualClusterKubeConfig().ServerCACert,
+		ingressHost: ctx.Config.ControlPlane.Ingress.Host,
 
-		fakeKubeletIPs: options.Networking.Advanced.ProxyKubelets.ByIP,
+		serverCaKey:  ctx.Config.VirtualClusterKubeConfig().ServerCAKey,
+		serverCaCert: ctx.Config.VirtualClusterKubeConfig().ServerCACert,
 
-		addSANs:   options.ControlPlane.Proxy.ExtraSANs,
+		fakeKubeletIPs: ctx.Config.Networking.Advanced.ProxyKubelets.ByIP,
+
+		addSANs:   ctx.Config.ControlPlane.Proxy.ExtraSANs,
 		listeners: []dynamiccertificates.Listener{},
 
-		serviceName:           options.WorkloadService,
-		currentNamespace:      currentNamespace,
-		currentNamespaceCient: currentNamespaceClient,
+		serviceName:           ctx.Config.WorkloadService,
+		currentNamespace:      ctx.Config.WorkloadNamespace,
+		currentNamespaceCient: ctx.WorkloadNamespaceClient,
 	}, nil
 }
 
 type syncer struct {
 	clusterDomain string
 
+	ingressHost string
+
 	serverCaCert string
 	serverCaKey  string
 
@@ -187,6 +191,11 @@ func (s *syncer) getSANs(ctx context.Context) ([]string, error) {
 		}
 	}
 
+	// ingress host
+	if s.ingressHost != "" {
+		retSANs = append(retSANs, s.ingressHost)
+	}
+
 	// make sure other sans are there as well
 	retSANs = append(retSANs, s.addSANs...)
 	sort.Strings(retSANs)
diff --git a/pkg/server/server.go b/pkg/server/server.go
index 32f6c54902..ea89f2fde6 100644
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -90,7 +90,7 @@ func NewServer(ctx *synccontext.ControllerContext, requestHeaderCaFile, clientCa
 	uncachedVirtualClient = pluginhookclient.WrapVirtualClient(uncachedVirtualClient)
 	uncachedLocalClient = pluginhookclient.WrapPhysicalClient(uncachedLocalClient)
 
-	certSyncer, err := cert.NewSyncer(ctx, ctx.Config.WorkloadNamespace, ctx.WorkloadNamespaceClient, ctx.Config)
+	certSyncer, err := cert.NewSyncer(ctx)
 	if err != nil {
 		return nil, errors.Wrap(err, "create cert syncer")
 	}