OpenFire doesn't like primary server name being a SAN in certificate

Even if you have:

in the certificate as alternative names, it won’t let you load that cert using the UI. If you load it in with keytool - it works fine, but the main page shows a complaint saying it’s not valid for ‘’, even though it clearly is.