cat > my-openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true
EOF
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=mayb" -days 2913776 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=mayb" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:mayb.cn,DNS:*.mayb.cn,DNS:gotoqq.com,DNS:*.gotoqq.com,IP:127.0.0.1")) \
-out server.csr
openssl x509 -req -days 2913776 \
-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:localhost,DNS:mayb.cn,DNS:*.mayb.cn,DNS:gotoqq.com,DNS:*.gotoqq.com,IP:127.0.0.1") \
-out server.crt
openssl genrsa -out client.key 2048
openssl req -new -sha256 -key client.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=mayb" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:mayb.cn,DNS:*.mayb.cn,DNS:gotoqq.com,DNS:*.gotoqq.com,IP:127.0.0.1")) \
-out client.csr
openssl x509 -req -days 2913776 \
-in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:localhost,DNS:mayb.cn,DNS:*.mayb.cn,DNS:gotoqq.com,DNS:*.gotoqq.com,IP:127.0.0.1") \
-out client.crt