The following certificates are used in tests, that assume expiration date to always be in the future, so instead of a normal cert validity of 1-5 years. we use 500 years here.
$ openssl genrsa -out cakey.pem 2048
$ openssl req -x509 -new -nodes -key cakey.pem -sha256 -days 182500 -out cacert.pem \
-subj "/CN=Test Root Certificate Authority/ST=CA/C=US/[email protected]/O=Test/OU=Test Department"
$ openssl genrsa -out server_key.pem 2048
$ openssl req -new -sha256 -key server_key.pem \
-subj "/C=US/ST=CA/O=Test/OU=Subunit of Test Organization/CN=test.com/[email protected]" \
-addext "subjectAltName=DNS:test.com,DNS:alt.test.com" \
-out server_crt.csr
$ openssl x509 -req -in server_crt.csr -CA cacert.pem -CAkey cakey.pem \
-extfile <(printf "subjectAltName=DNS:test.com,DNS:alt.test.com") \
-CAcreateserial -out server_crt.pem -days 182500 -sha256 -text
$ openssl genrsa -out client_key.pem 2048
$ openssl req -new -sha256 -key client_key.pem \
-subj "/C=US/ST=CA/O=Test Client/OU=Subunit of Test Organization/CN=client.test.com/[email protected]" \
-addext "subjectAltName=DNS:client.test.com,DNS:alt.client.test.com" \
-out client_crt.csr
$ openssl x509 -req -in client_crt.csr -CA cacert.pem -CAkey cakey.pem \
-extfile <(printf "subjectAltName=DNS:client.test.com,DNS:alt.client.test.com") \
-CAcreateserial -out client_crt.pem -days 182500 -sha256 -text
NOTES: *.csr files are certificate signing requests which are needed in order to sign certificates with signing authority. -CAcreateserial option creates one file which we do not need but openssl does. You can delete it after you are done.