cert.cnf

[req]
default_bits = 2048
default_md   = sha256
string_mask  = utf8only
prompt       = no
encrypt_key  = no
distinguished_name = @req_dn
x509_extensions = @req_ext

[req_dn]
commonName = Test Certificate

[req_san]
DNS.1 = www.example.com
DNS.2 = example.com
# If you need to support IP Addresses in certs, across browsers,
# then only include one IP per cert, and update both this and
# the commonName to include the IP (for IE/Edge support).
# See https://cabforum.org/guidance-ip-addresses-certificates/
IP.1 = 127.0.0.1

[req_ext]
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature
extendedKeyUsage = critical, serverAuth
subjectAltName = @req_san

generate.sh

# Generate a request (req)
# ... and then turn it into a certificate (-x509)
# ... using the configuration from cert.cnf (-config cert.cnf)
# ... with a new 2048-bit RSA key (-newkey rsa:2048)
# ... saved in cert.key (-keyout cert.key)
# ... and save the certificate in cert.pem (-out cert.pem)
# ... with a unique serial equal to the number of seconds since the epoch (-set_serial $(date +%s))
openssl req -x509 -config cert.cnf -newkey rsa:2048 -days 365 -keyout cert.key -out cert.pem -set_serial $(date +%s)