This took way to long to solve.

A good guide but…

https://networklessons.com/uncategorized/openssl-certification-authority-ca-ubuntu-server

Remember to enable this: copy_extensions = copy

Otherwise you’ll spend an eternity trying to figure out what is wrong.

And also…

openssl req ... -extensions v3_req -addext 'subjectAltName=DNS:my.domain.com'

This ought to do it.

Here’s a little bash script (not including the ca cert generation)

#!/bin/bash

echo "Generating certificates"
echo "======================================"

if [ -z "$1" ]; then
        echo "Usage: $0 fqhn"
        echo "Nothing done!"
        exit 1
fi

echo "Creating certificate request for '$1'"
echo ""
openssl req -new -newkey rsa:4096 -nodes -keyout requests/$1.key -out requests/$1.csr -subj "/C=SE/ST=Stockholm/L=Stockholm/O=my.domain/OU=my-unit/CN="$1"/emailAddres=me@my.domain" -extensions v3_req -addext 'subjectAltName=DNS:'$1>
ret=$?
if [ $ret -ne 0 ]; then
        echo "Failed to generate request: $ret"
        echo ""
        exit $ret
fi

echo "Signing certificate for '$1'"
echo ""
openssl ca -batch -in requests/$1.csr -out requests/$1.pem -passin file:ca_cert_password.txt
ret=$?
if [ $ret -ne 0 ]; then
        echo "Failed to sign the certificate: $ret"
        echo ""
        exit $ret
fi

echo "Done!"