You are currently trying to renew certificate for dlp web console, and have used the following documentation:

 Create, sign, and import an SSL certificate signed by a Trusted Certificate Authority for the Enforce Server certificate (broadcom.com)

Howeer, you were unable to correctly apply the command:

<DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 720 -dname "CN=<servername>, OU=XXX, O=SYMANTEC, L=SANJOSE, ST=California, C=US" -ext SAN=DNS:<servername>,DNS:<domainname>,DNS:<FQDN>,IP:<IPAddress> -keystore <DRIVE>:\EnforceCert\.keystore -storepass XXXXXXXX 

You need more information to determine what is referred to as the <IPAddress> - i.e., is that the DNS IP or Server IP?

You also have questions about the "DNS:<FQDN>" setting - i.e., is that DNS FQDN or Server FQDN?

Release : 16.0

Configuration issue in terms of the certificate on the environment.

One example for the Enforce Server console and Enforce Server FQDN is "dlp.example.com" and it's IP is <10.0.0.0>.

To clarify, using an example the dlp app is on an asset <dlp.example.com> and IP <10.0.0.0>
the command to be implemented becomes:

<DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 720 -dname "CN=dlp, OU=DLP, O=EXAMPLE, L=Cupertino, ST=California, C=US" -ext SAN=DNS:dlp,DNS:example.com,DNS:dlp.example.com,IP:10.0.0.0 -keystore E:\EnforceCert\.keystore -storepass xxxxxxxx

Additional confirmation of which Dname to supply may need to be obtained from IT teams who work with your server environment.