diff --git a/release_notes/ocp-4-10-release-notes.adoc b/release_notes/ocp-4-10-release-notes.adoc
index b40e45efb46c..70e5b89d2a18 100644
--- a/release_notes/ocp-4-10-release-notes.adoc
+++ b/release_notes/ocp-4-10-release-notes.adoc
@@ -400,6 +400,19 @@ Users also have the option to use the `REGISTRY_AUTH_FILE` environment variable,
 
 // Note: use [discrete] for these sub-headings.
 
+[discrete]
+[id="ocp-4-10-TLS-subject-alternative-names-required"]
+==== TLS X.509 certificates must have a Subject Alternative Name
+
+X.509 certificates must have a properly set the Subject Alternative Name field.
+If you update your cluster without this, you risk breaking your cluster or rendering it inaccessible.
+
+In older versions of {product-title}, X.509 certificates worked without a Subject Alternative Name, so long as the Common Name field was set.
+link:https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-tls-common-name[This behavior was removed in {product-title} 4.6].
+
+In some cases, certificates without a Subject Alternative Name continued to work in {product-title} 4.6, 4.7, 4.8, and 4.9.
+Because it uses Kubernetes 1.23, {product-title} 4.10 does not allow this under any circumstances.
+
 [discrete]
 [id="ocp-4-10-cluster-cloud-controller-manager-operator"]
 ==== Cloud controller managers for additional cloud providers