diff --git a/docs/op/ch_apiserver_cert.md b/docs/op/ch_apiserver_cert.md
index d0baf75..d7ac6d2 100644
--- a/docs/op/ch_apiserver_cert.md
+++ b/docs/op/ch_apiserver_cert.md
@@ -8,7 +8,9 @@
 {% if groups['ex_lb']|length > 0 %}
     "{{ hostvars[groups['ex_lb'][0]]['EX_APISERVER_VIP'] }}",
 {% endif %}
-    "{{ inventory_hostname }}",
+{% for host in groups['kube_master'] %}
+    "{{ host }}",
+{% endfor %}
     "{{ CLUSTER_KUBERNETES_SVC_IP }}",
 {% for host in MASTER_CERT_HOSTS %}
     "{{ host }}",
@@ -23,21 +25,18 @@
 
 有的时候（比如apiserver地址通过边界防火墙的NAT转换成公网IP访问，或者需要添加公网域名访问）我们需要在 APISERVER（MASTER）证书中添加一些`域名`或者`IP`，可以方便操作如下：
 
-## 1.修改配置文件`roles/kube-master/defaults/main.yml`
+## 1.修改配置文件`/etc/kubeasz/clusters/${集群名}/config.yaml`
 
 ``` bash
 # k8s 集群 master 节点证书配置，可以添加多个ip和域名（比如增加公网ip和域名）
 MASTER_CERT_HOSTS:
   - "10.1.1.1"
   - "k8s.test.io"
-  #- "61.182.11.41"
   #- "www.test.com"
 ```
 
-## 2.执行新证书生成即可
+## 2.执行新证书生成并重启apiserver
 
 ``` bash
-$ ansible-playbook 04.kube-master.yml -t change_cert
-# 新证书生效需要重启kube-apiserver.service
-$ ansible-playbook 04.kube-master.yml -t restart_master
+$ ezctl setup ${集群名} 04 -t change_cert,restart_master 
 ```
diff --git a/ezctl b/ezctl
index 08714b7..cd99f40 100755
--- a/ezctl
+++ b/ezctl
@@ -124,6 +124,7 @@ available steps:
 examples: ./ezctl setup test-k8s 01  (or ./ezctl setup test-k8s prepare)
 	  ./ezctl setup test-k8s 02  (or ./ezctl setup test-k8s etcd)
           ./ezctl setup test-k8s all
+          ./ezctl setup test-k8s 04 -t restart_master
 EOF
 }
 
@@ -186,6 +187,9 @@ function setup() {
     [[ -d "clusters/$1" ]] || { logger error "invalid config, run 'ezctl new $1' first"; return 1; }
     [[ -f "bin/kube-apiserver" ]] || { logger error "no binaries founded, run 'ezdown -D' fist"; return 1; }
 
+    # for extending usage
+    EXTRA_ARGS=$(echo "$*"|sed "s/$1 $2//g"|sed "s/^ *//g")
+
     PLAY_BOOK="dummy.yml"
     case "$2" in
       (01|prepare)
@@ -224,10 +228,13 @@ function setup() {
           ;;
     esac
 
+    COMMAND="ansible-playbook -i clusters/$1/hosts -e @clusters/$1/config.yml $EXTRA_ARGS playbooks/$PLAY_BOOK"
+    echo "$COMMAND"
+
     logger info "cluster:$1 setup step:$2 begins in 5s, press any key to abort:\n"
     ! (read -r -t5 -n1) || { logger warn "setup abort"; return 1; }
 
-    ansible-playbook -i "clusters/$1/hosts" -e "@clusters/$1/config.yml" "playbooks/$PLAY_BOOK" || return 1
+    ${COMMAND} || return 1
 }
 
 function cmd() {
@@ -580,7 +587,7 @@ function main() {
           new "$2"
           ;;
       (setup)
-          [ "$#" -eq 3 ] || { usage-setup >&2; exit 2; }
+          [ "$#" -ge 3 ] || { usage-setup >&2; exit 2; }
           setup "${@:2}"
           ;;
       (start)