1. Move to $SPECROOT/Java/bin 

2. run:
    keytool -genkey -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts -ext "SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com"
    In the above line, replace SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com by the SAN applies to your environment. For instance, SAN=IP:192.168.1.140,DNS:spectrum104

3. Then to confirm the SAN was added, execute next:
    keytool -list -v -keystore c:/win32app/Spectrum/custom/keystore/cacerts > C:\keystorelist.txt
    Reviewing the C:\keystorelist.txt you should see that the extensions were added
...

Alias name: tomcatssl
Creation date: May 28, 2021
...
Extensions: 

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  IPAddress: 192.168.1.140
  DNSName: spectrum104
]
...

4. Then create the certificate request:
    keytool -certreq -alias tomcatssl -keystore c:/win32app/Spectrum/custom/keystore/cacerts -ext "SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com" -file C:\cert-req.csr
    In the above line, replace SAN=IP:xxx.xxx.xxx.xxx,DNS:myserver.mydomain.com by the SAN applies to your environment. For instance, SAN=IP:192.168.1.140,DNS:spectrum104 

5. Check the certificate requested included the SAN extension, with next command line
    openssl req -in C:\cert-req.csr -noout -text
    Usually Linux include the openssl, or you can install it from repositories. For Windows, if not installed, you can download the GNUwin32 version
...
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:192.168.1.140, DNS:spectrum104

6. Import the certificate following the steps described in the documentation.

7. The certificate returned by the CA should include the SAN, and you can check it from the browser when you first load the Oneclick Home page, after the OneClick is configured to use SSL.