openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out ca.key
openssl ec -noout -text -in ca.key
openssl req -x509 -days 3650 -subj "/OU=[CHANGEME] Root CA/O=[CHANGEME]/CN=[CHANGEME] Root CA" -addext "keyUsage=critical, cRLSign, keyCertSign" -addext "extendedKeyUsage=critical, clientAuth, codeSigning, msEFS, emailProtection, ipsecTunnel, ipsecUser, serverAuth, timeStamping" -key ca.key -out ca.crt
openssl x509 -noout -text -in ca.crt
openssl ecparam -genkey -name prime256v1 | openssl ec -aes256 -out server.key
openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
openssl ec -noout -text -in server.key
openssl req -new -key server.key -out server.csr -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com\nsubjectAltName=DNS:*.example.com"))
openssl req -noout -text -in server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com\nsubjectAltName=DNS:*.example.com")) -extensions SAN
openssl x509 -noout -text -in server.crt