Creating a plain selfsigned cert, i.e. for use with a webserver. The client has by other means to verify authenticity, so i.e. fingerprint.
Creating a selfsigned x509 cert with alternate names.
$ cat >ossl.cnf<<EOT [req] req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = DE countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Thuringia localityName = Locality Name (eg, city) localityName_default = Muehlhausen 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Freespeach noorg organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = noou commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = wiki.fluxcoil.net DNS.2 = www.fluxcoil.net DNS.3 = mail.fluxcoil.net EOT $ openssl genrsa -out fluxcoil.net_201507.key 4096 $ openssl req -new -out fluxcoil.net_201507.csr -nodes -sha256 \ -key fluxcoil.net_201507.key -config ossl.cnf $ openssl req -text -noout -in fluxcoil.net_201507.csr $ openssl x509 -in fluxcoil.net_201507.csr \ -out fluxcoil.net_201507.cert -req -signkey fluxcoil.net_201507.key \ -days 3650 -extensions v3_req -extfile ossl.cnf $ openssl x509 -in fluxcoil.net_201507.cert -noout -text