you need a cert,
it doesn't need the strict requirements of WebPKI,
and you're tired of all the online blogs that use RSA
and outdated OpenSSL that doesn't support -addext
This should be simple and have wide support
1openssl req -x509 -nodes -days 7300 \
2 -newkey ec:<(openssl ecparam -name prime256v1) \
3 -subj "/O=weechat/CN=localhost" \
4 -addext "subjectAltName=DNS:localhost,IP:0.0.0.0" \
5 -keyout relay.pem -out relay.pem
This will generate a merged key/cert,
some old stuff (like weechat) wants this,
else separate the -keyout and -out.
More exotic, but at least Go and Curl work
1openssl req -x509 -nodes -days 7300 \
2 -key <(openssl genpkey -algorithm ED25519 | tee relay.pem) \
3 -subj "/O=weechat/CN=localhost" \
4 -addext "subjectAltName=DNS:localhost,IP:0.0.0.0" \
5 -keyout relay.pem -out relay.pem
This gives req a fully formed key instead of just the params,
which gives us some issues with outputing the key.
This will also generate a merged key/cert,
don't ask me why the private key needs to be written twice
(tee and -keyout), otherwise it will only output a cert.
For separate key/cert, remove the -keyout and rename the tee
inspect the generated cert with
1openssl x509 -in relay.pem -text -noout
or from a running server,
where -servername is used for SNI
and connect is for the destination
1openssl s_client -showcerts \
2 -servername localhost \
3 -connect 127.0.0.1:8080 </dev/null \
4 | openssl x509 -text -noout