openssl genrsa -out key.pem 4096
openssl rep -subj "/CN=client" -new -key key.pem -out client.csr
cat > v3-client.cnf <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=tips-of-mine.local
DNS.2=tips-of-mine
DNS.3=hostname
IP.1=127.0.0.1
IP.2=@IP
EOF
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile v3-client.cnf
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem