Someone recently asked how to make a simple self-signed certificate with IPs in the SAN. The usual OpenSSL commands don't ask for SAN information at all, so adding anything requires a configuration file. The sample file supplied with OpenSSL is 350 lines long, and contains a bit more than is necessary for the task at hand.

Thus I present a sample configuration file that (probably) has everything you need to create a self-signed certificate:
[req] distinguished_name = req_distinguished_name x509_extensions = v3_ca [req_distinguished_name] commonName = TypeCommonNameHere [v3_ca] subjectAltName = @alt_names [alt_names] IP.1 = 203.0.113.1 IP.2 = 192.0.2.1 DNS.1 = example.com DNS.2 = www.example.com Edit the alt_names section as necessary, leave the rest (unless you need to add something for your particular situation). The numbers do not have to start with 1, nor be contiguous, so long as they do no repeat for the particular subject type. Then generate the private and public keys with:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my.key -out my.pem -config example.cfg

This will generate keys in PEM format, appropriate for almost all *nix systems and software (like Apache/nginx/lighttp web servers, Sendmail/Postfix/Exim e-mail servers, etc). If this certificate will be used in Windows (for IIS, Exchange, etc), you'll need to convert it to DER format with:

openssl x509 -outform der -in my.pem -out my.crt