Command is run with adding -config and giving this file. The normal openssl.cnf is not overriden in full i think.
Other options you want ... rsa:4096 and -sha256 to sign with sha256 (cannot use with older clients, etc. etc.)
A cert-specific openssl.cnf, name it "my-san-cert-openssl.cnf" so it gets sorted along with my-san-cert.csr, etc.
To check, you can use the following command:
To do the same remotely, you can use the same with the client mode:
(Nope, doesn't work)
I use this to get the info:
If you template this and want to automatically run the openssl command, you need to pipe the right number of line breaks to it.
Wow, it seems to be also possible to define an ALTNAMES variable:
http://www.crsr.net/Notes/SSL.html (very end of page)