diff --git a/ChangeLog b/ChangeLog
index a989481..d4036cc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@ changes since 1.7.2
 	New features:
 	- Autodetect status-server capability of servers
 	- Minimalistic status-server
+	- Explicit SubjectAltName:DNS match on certificates
 
 	Misc:
 	- No longer require docbook2x tools, but include plain manpages
diff --git a/radsecproxy.conf.5 b/radsecproxy.conf.5
index 706e9b6..23d4ab6 100644
--- a/radsecproxy.conf.5
+++ b/radsecproxy.conf.5
@@ -348,10 +348,11 @@ of the configured clients (in the order they are defined), to determine which
 this might mask clients defined later, which then will never be matched.
 
 In the case of TLS/DTLS, the name of the client must match the FQDN or IP
-address in the client certificate. Note that this is not required when the
-client name is an IP prefix. If overlapping clients are defined (see section
-above), they will be searched for matching \fBMatchCertificateAttribute\fR, but
-they must reference the same tls block.
+address in the client certificate (CN or SubectAltName:DNS or SubjectAltName:IP
+respectively). Note that this is not required when the client name is an IP
+prefix. If overlapping clients are defined (see section above), they will be
+searched for matching \fBMatchCertificateAttribute\fR, but they must reference
+the same tls block.
 
 The allowed options in a client block are:
 
@@ -410,11 +411,11 @@ For a TLS/DTLS client, disable the default behaviour of matching CN or
 SubjectAltName against the specified hostname or IP address.
 .RE
 
-\fBMatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB) :\fR/\fIregexp\fR/\fB )\fR
+\fBMatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
 .RS
 Perform additional validation of certificate attributes. Currently only matching
-of CN and SubjectAltName type URI is supported. Note that currently this option
-can only be specified once in a client block.
+of CN and SubjectAltName type URI and DNS is supported. Note that currently this 
+option can only be specified once in a client block.
 .RE
 
 .BI "DuplicateInterval " seconds
@@ -606,7 +607,7 @@ block. The details are not repeated here. Please refer to the definitions in the
 .br
 .BR "CertificateNameCheck (" on | off )
 .br
-\fBmatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB) :\fR/\fIregexp\fR/\fB )\fR
+\fBmatchCertificateAttribute ((\fR CN \fB|\fR SubjectAltName:URI \fB|\fR SubjectAltName:DNS \fB) :\fR/\fIregexp\fR/\fB )\fR
 .br
 .BR "AddTTL " 1-255
 .br