openssl genrsa -aes256 -out ca.key 4096
openssl req -new -x509 -days 10958 -key ca.key -out ca.crt
snel.it Universal Root Certificate Authority - X1

openssl genrsa -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3653 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt


certificaten zonder SAN (Subject Alternative Name) worden niet meer geaccepteerd door chrome),
dus de req moet wat extra velden hebben

openssl req -new -key server.key -out server.csr -reqexts SAN -subj /CN=Hostname -extensions SAN -config <(cat /etc/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:rb2011.hvs.snel.it'))

----- bla-csr.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
string_mask = utf8only

[req_distinguished_name]
C = NL
ST = Noord Holland
L = Hilversum
O = snel.it
CN = LuCI WebAdmin

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1= rb2011.hvs.snel.it
DNS.2 = localhost

---------

openssl req -new -key rb2011.hvs.snel.it.key -out rb2011.hvs.snel.csr

openssl x509 -req -days 3653 -in rb2011.hvs.snel.it.csr \
	-CA ca.crt -CAkey ca.key -set_serial 01 \
	-out rb2011.hvs.snel.it.crt -extfile rb2011-csr.conf \
	-extensions v3_req