I run across this topic once in a while, trying to remember how this was done then find all the incomplete answers again (with config files, oneliners,ignoring that we really want to use a custom CA to create a full certificate chain etc.). And many answers applying SAN for the certificate request, but messing SAN up in the signing command…