OpenSSL + nginx + wildcard self-signed SSL cert commands that play well with Chrome

nginx-wildcard.txt

openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -config nginx-wildcard.cfg -extensions req_ext

openssl req -new -sha256 -nodes -out nginx-wildcard.csr -newkey rsa:2048 -keyout nginx-wildcard.key  -config nginx-wildcard.cfg -extensions req_ext
openssl x509 -req -in nginx-wildcard.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out nginx-wildcard.crt -days 500 -sha256 -extfile nginx-wildcard.cfg -extensions req_ext
cat nginx-wildcard.crt nginx-wildcard.key > nginx-wildcard.pem
chmod 644 nginx-wildcard.key nginx-wildcard.pem

openssl x509 -in nginx-wildcard.pem -text -noout # Checks to make sure the config is correct

service nginx restart # Restart nginx after updating your server config (below)

---

nginx-wildcard.cfg 

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=Oregon
L=Portland
O=LOLZ
OU=LMAO
emailAddress=foo@bar.com
CN=host.local

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = host.local
DNS.2 = *.host.local

--

vhost

server {
	listen 80;
	listen [::]:80;

	server_name client.host.local;
	return 301 https://client.host.local$request_uri;
}

server {
	listen 443;
	listen [::]:443;

	root /var/www/docroot;
	index index.html;

	server_name client.host.local;

	ssl			on;
	ssl_certificate		/var/ssl/nginx-wildcard.pem;
	ssl_certificate_key	/var/ssl/nginx-wildcard.key;
	ssl_session_timeout	5m;

	location / {
		try_files $uri $uri/ =404;
	}
}

The problem I was struggling to solve was that even after setting my self-signed certificate to trusted in macOS keychain, Chrome was still complaining about an invalid common name. I had to add those alt names to the wildcard config for Chrome to accept it completely.