Actually, I could not get get SAN working, not because of browsers but because openssl was not copying X509 extensions into the certificate. So I removed the alias from the script, I want to keep things simple and not write yet another tool.
I asked on the internal list about the X509 V3 extension issue and I got another tool recommendation:
I’d suggest to use certgen script for this:
It supports very old and new versions of openssl transparently (it works on RHEL-5 and later) as well as creates certificates that are more typical of the public Internet.
to create a set of certificates like you described, run:
wget
https://raw.githubusercontent.com/redhat-qe-security/certgen/master/certgen/lib.sh
&&
source lib.sh
x509KeyGen ca &&
x509KeyGen server &&
x509KeyGen client
x509SelfSign ca &&
x509CertSign --CA ca server --CN [test.example.com](http://test.example.com/) --subjectAltName
DNS=[alias.example.com](http://alias.example.com/) &&
x509CertSign --CA ca -t webclient client
So just for the record, here is another one 
Btw I posted it here not because I think my script is awesome, it is a very old dirty script of mine, but because Adam asked on scrum and I saw it the other day when I was searching for something else. Definitely use Erik’s tool that does look like something more useful.