diff --git a/roles/step_ca/README.md b/roles/step_ca/README.md
index 4001c6cd..273f7653 100644
--- a/roles/step_ca/README.md
+++ b/roles/step_ca/README.md
@@ -117,7 +117,8 @@ See the [step docs](https://smallstep.com/docs/step-cli/reference/ca/init) for m
 
 ##### `step_ca_dns`
 - The comma separated DNS names or IP addresses of the new CA
-- Default: `{{ ansible_fqdn}},{{ ansible_default_ipv4.address }}`
+- Includes the hosts FQDN and main IPv4/6 addresses by default, if present
+- Default: `"{{ ansible_fqdn }},{{ ansible_default_ipv4.address | d('') }},{{ ansible_default_ipv6.address | d('') }}"`
 
 ##### `step_ca_address`
 - The address that the new CA will listen at
diff --git a/roles/step_ca/defaults/main.yml b/roles/step_ca/defaults/main.yml
index f0bbf46c..b6e34255 100644
--- a/roles/step_ca/defaults/main.yml
+++ b/roles/step_ca/defaults/main.yml
@@ -9,7 +9,8 @@ step_ca_path: /etc/step-ca
 #step_ca_name:
 #step_ca_root_password:
 #step_ca_intermediate_password:
-step_ca_dns: "{{ ansible_fqdn }},{{ ansible_default_ipv4.address }}"
+# step-ca init skips empty entries, so this works
+step_ca_dns: "{{ ansible_fqdn }},{{ ansible_default_ipv4.address | d('') }},{{ ansible_default_ipv6.address | d('') }}"
 step_ca_address: ":443"
 
 #step_ca_existing_root:
diff --git a/roles/step_ca/meta/argument_specs.yml b/roles/step_ca/meta/argument_specs.yml
index f6695dc6..a1a97bcc 100644
--- a/roles/step_ca/meta/argument_specs.yml
+++ b/roles/step_ca/meta/argument_specs.yml
@@ -101,8 +101,10 @@ argument_specs:
           - If unset, uses the root password will be used as the intermediate password
       step_ca_dns:
         type: str
-        default: "{{ ansible_fqdn}},{{ ansible_default_ipv4.address }}"
-        description: The comma separated DNS names or IP addresses of the new CA
+        default: "{{ ansible_fqdn }},{{ ansible_default_ipv4.address | d('') }},{{ ansible_default_ipv6.address | d('') }}"
+        description:
+          - The comma separated DNS names or IP addresses of the new CA
+          - Includes the hosts FQDN and main IPv4/6 addresses by default, if present
       step_ca_address:
         type: str
         default: :443