diff --git a/package-lock.json b/package-lock.json
index f92121d..1796e82 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.3",
+  "version": "0.4.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "azure-acme-provisioner",
-      "version": "0.4.3",
+      "version": "0.4.4",
       "license": "MIT",
       "dependencies": {
         "@azure/arm-authorization": "^9.0.0",
diff --git a/package.json b/package.json
index ba37666..f77cfd0 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "azure-acme-provisioner",
-  "version": "0.4.3",
+  "version": "0.4.4",
   "author": {
     "name": "Sławomir Koszewski",
     "url": "https://github.com/skoszewski"
diff --git a/src/cli.ts b/src/cli.ts
index 75d140e..233144a 100644
--- a/src/cli.ts
+++ b/src/cli.ts
@@ -134,12 +134,12 @@ sharedOptions(
 
 sharedOptions(
   program
-    .command('assign-role <domain>')
+    .command('assign-role <fqdn>')
     .description('Assign Key Vault Certificate User and Secrets User roles to a principal for a domain certificate')
     .requiredOption('--principal-id <id>', 'Azure principal ID to assign roles to')
     .requiredOption('--principal-type <type>', 'Principal type: User | Group | ServicePrincipal (use ServicePrincipal for managed identities)')
     .option('--dry-run', 'Show what would be assigned without making changes')
-).action(async (domain: string, options: Record<string, unknown>) => {
+).action(async (fqdn: string, options: Record<string, unknown>) => {
   applyOverrides(options);
   const config = loadConfig();
   if (!config.subscriptionId) throw new Error('--subscription-id is required');
@@ -151,7 +151,7 @@ sharedOptions(
   const principalId = String(options['principalId']);
   const principalType = String(options['principalType']) as 'User' | 'Group' | 'ServicePrincipal';
   const vaultName = new URL(config.keyVaultUrl).hostname.split('.')[0];
-  const certName = domainToCertName(domain);
+  const certName = domainToCertName(fqdn);
   const vaultBase = `/subscriptions/${sub}/resourceGroups/${kvRg}/providers/Microsoft.KeyVault/vaults/${vaultName}`;
   const credential = new DefaultAzureCredential();
   const authClient = new AuthorizationManagementClient(credential, sub);