Actually, I could not get get SAN working, not because of browsers but because openssl was not copying X509 extensions into the certificate. So I removed the alias from the script, I want to keep things simple and not write yet another tool.
I asked on the internal list about the X509 V3 extension issue and I got another tool recommendation:
I’d suggest to use certgen script for this:
It supports very old and new versions of openssl transparently (it works on RHEL-5 and later) as well as creates certificates that are more typical of the public Internet.
to create a set of certificates like you described, run:
x509KeyGen ca &&
x509KeyGen server &&
x509SelfSign ca &&
x509CertSign --CA ca server --CN [test.example.com](http://test.example.com/) --subjectAltName
x509CertSign --CA ca -t webclient client
So just for the record, here is another one
Btw I posted it here not because I think my script is awesome, it is a very old dirty script of mine, but because Adam asked on scrum and I saw it the other day when I was searching for something else. Definitely use Erik’s tool that does look like something more useful.