Simple openssl command creating x509 certificate with CA chain

generate-certificate.sh

#!/bin/sh

cat > req.conf <<EOF
[req]
prompt = no
x509_extensions = v3_req
distinguished_name = dn
[dn]
CN = querypie
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${dns_name}
EOF

  openssl req -new -x509 -nodes \
    -newkey rsa:4096 -keyout rootCA.key \
    -passout "pass:$(openssl rand -base64 32)" \
    -config req.conf \
    -days 3650 \
    -out rootCA.crt

  openssl req -new -x509 \
    -newkey rsa:4096 -keyout server.key \
    -CA rootCA.crt \
    -CAkey rootCA.key \
    -config req.conf \
    -passout "pass:$(openssl rand -base64 32)" \
    -days 3650 \
    -out server.crt

  rm req.conf