A plain configuration file, DNS.1 should always be the CN for the certificate, and additional Subject Alternet Names (SANs) should follow in the [alt_names] section. This example would be saved as server.ghostnetwork.net

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = server.ghostnetwork.net
DNS.2 = fancyurl.ghostnetwork.net


Generaate the private key (4096bit) - I use full hostnames and extensions for this, it keeps it simple later.

openssl genrsa -out server.ghostnetwork.net.key 4096

Generate the certificate signing request to send to your certificate authority. This uses the configuration file and private key that were generated earlier. If you populated the configuration file with DN information, it can be skipped here, in this example the full DN is given in the CSR command.

openssl req -new -key server.ghostnetwork.net.key -nodes -config server.ghostnetwork.net.conf -out server.ghostnetwork.net.csr -subj "/C=US/ST=Ohio/L=Cincinnati/O=GhostNetworkCo/OU=IT/CN=server.ghostnetwork.net"

Generaate a PKCS12 container containing the certificates private key and public cerrtificate (the resulting base64 CRT file from the CSR in the previous step)

openssl pkcs12 -export -in server.ghostnetwork.net.crt -inkey server.ghostnetwork.net.key -out server.ghostnetwork.net.p12

Takes a PKCS12 container and splits out private key and public cerrtificate

openssl pkcs12 -nokeys -in server.ghostnetwork.net.p12 > server.ghostnetwork.net.pem

openssl pkcs12 -in server.ghostnetwork.net.p12 -nocerts -nodes -out server.ghostnetwork.net.key