If the keystore requires a Subject Alternative Name (SAN) for Payara, then it will need to be added to the certificate signing request.

To add SANs to a certificate signing request, the normal command to generate the CSR will need to be modified.

In the following command, each “blue.strongkey.com” and “red.strongkey.com”, etc. should be replaced with the corresponding SAN from the keystore. As many or as few SANs may be included as desired. certreq.csr represents the file name of the CSR.

keytool -certreq -alias s1as -keyalg RSA -file certreq.csr -keystore GLASSFISH_CONFIG/keystore.jks -ext SAN=dns:blue.strongkey.com,dns:red.strongkey.com,dns:green.strongkey.com

Run the command to view the CSR and the SANs are listed under the Extension Request section:

keytool -printcertreq -file certreq.csr

PKCS #10 Certificate Request (Version 1.0)
Subject: CN=colorfulFQDNS, OU=StrongKey FidoServer
Format: X.509
Public Key: 2048-bit RSA key
Signature algorithm: SHA256withRSA

Extension Request:

#1: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: blue.strongkey.com
  DNSName: red.strongkey.com
  DNSName: green.strongkey.com
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7E 1C D7 EF AC D9 71 40   41 B7 4B 20 3A 61 07 16  ......q@A.K :a..
0010: 7F 3F C8 02                                        .?..
]
]

Once the Certificate Signing Request is generated, send it to the Certificate Authority service provider to have it signed. Upon receiving the signed certificate, continue on to "Importing the Certificate (JKS)".