diff --git a/scripts/kvmd-gencert b/scripts/kvmd-gencert
index 7bd95cf23..bb120bc13 100755
--- a/scripts/kvmd-gencert
+++ b/scripts/kvmd-gencert
@@ -20,7 +20,6 @@
 #                                                                            #
 # ========================================================================== #
 
-
 set -e
 export LC_ALL=C
 
@@ -43,21 +42,63 @@ if [ "$2" == --vnc ]; then
 fi
 path="/etc/kvmd/$target/ssl"
 
+set -e
+
+#Read Serial Number or use default all-zeros
+get_serial_number() {
+    serialnumber=$(cat /proc/device-tree/serial-number 2>/dev/null || echo "0000000000000000")
+    echo "$serialnumber"
+}
+serial=$(get_serial_number)
+san="DNS:pikvm-${serial}.local"
+
+# Function to fetch IP addresses
+get_ip_addresses() {
+	ip address | awk '/inet / {print $2}' | cut -d/ -f1
+}
+
+# Try to get IP addresses
+ip_addresses=$(get_ip_addresses || true)
+set +e
+
+# Update SAN variable for IP certs
+for ip in $ip_addresses; do
+	san="${san},IP:${ip}"
+done
+
 set -x
 
 mkdir -p "$path"
 rm -f "$path"/*
 cd "$path"
 
-# XXX: Why ECC?
-#   - https://www.leaderssl.com/articles/345-what-is-ecc-and-why-you-should-use-it
-#   - https://www.digitalocean.com/community/tutorials/how-to-create-an-ecc-certificate-on-nginx-for-debian-8
-#   - https://msol.io/blog/tech/create-a-self-signed-ecc-certificate
+# Generate the OpenSSL configuration file for SAN
+cat >openssl.cnf <<EOL
+[ req ]
+distinguished_name = req_distinguished_name
+x509_extensions = v3_req
+prompt = no
+
+[ req_distinguished_name ]
+C = RU
+ST = Moscow
+L = Moscow
+O = PiKVM
+OU = PiKVM
+CN = localhost
+
+[ v3_req ]
+subjectAltName = ${san}
+EOL
+
+# Generate the ECC key and self-signed certificate with SAN
 openssl ecparam -out server.key -name prime256v1 -genkey
-openssl req -new -x509 -sha256 -nodes -key server.key -out server.crt -days 3650 \
-	-subj "/C=RU/ST=Moscow/L=Moscow/O=PiKVM/OU=PiKVM/CN=localhost"
+openssl req -new -x509 -sha256 -nodes -key server.key -out server.crt -days 3650 -config openssl.cnf
 
 chown "root:kvmd-$target" "$path"/*
 chmod 440 "$path/server.key"
 chmod 444 "$path/server.crt"
 chmod 755 "$path"
+
+# Clean up
+rm -f openssl.cnf