The following certificates are used in tests, that assume expiration date to always be in the future, so instead of a normal cert validity of 1-5 years. we use 500 years here.
$ openssl genrsa -out cakey.pem 2048 $ openssl req -x509 -new -nodes -key cakey.pem -sha256 -days 182500 -out cacert.pem \ -subj "/CN=Test Root Certificate Authority/ST=CA/C=US/emailAddressemail@example.com/O=Test/OU=Test Department"
$ openssl genrsa -out server_key.pem 2048 $ openssl req -new -sha256 -key server_key.pem \ -subj "/C=US/ST=CA/O=Test/OU=Subunit of Test Organization/CN=test.com/emailAddressfirstname.lastname@example.org" \ -addext "subjectAltName=DNS:test.com,DNS:alt.test.com" \ -out server_crt.csr $ openssl x509 -req -in server_crt.csr -CA cacert.pem -CAkey cakey.pem \ -extfile <(printf "subjectAltName=DNS:test.com,DNS:alt.test.com") \ -CAcreateserial -out server_crt.pem -days 182500 -sha256 -text
$ openssl genrsa -out client_key.pem 2048 $ openssl req -new -sha256 -key client_key.pem \ -subj "/C=US/ST=CA/O=Test Client/OU=Subunit of Test Organization/CN=client.test.com/emailAddressemail@example.com" \ -addext "subjectAltName=DNS:client.test.com,DNS:alt.client.test.com" \ -out client_crt.csr $ openssl x509 -req -in client_crt.csr -CA cacert.pem -CAkey cakey.pem \ -extfile <(printf "subjectAltName=DNS:client.test.com,DNS:alt.client.test.com") \ -CAcreateserial -out client_crt.pem -days 182500 -sha256 -text
NOTES: *.csr files are certificate signing requests which are needed in order to sign certificates with signing authority. -CAcreateserial option creates one file which we do not need but openssl does. You can delete it after you are done.