diff --git a/openssl.sh b/openssl.sh
index 81b21b6..99b8d69 100644
--- a/openssl.sh
+++ b/openssl.sh
@@ -5,13 +5,14 @@ set -u
 
 options="${1:-}"
 prefix="${2:-}"
+host="${3:-localhost}"
 
 doserver=0
 doclient=0
 
 case "$options" in
    server ) doserver=1 ;;
-   client ) doclient=1 ; cacrt="${3}"; cakey="${4}" ;;
+   client ) doclient=1 ; cacrt="${4}"; cakey="${5}" ;;
    all ) doserver=1; doclient=1 ;;
    * ) echo "USAGE: $0 [all|server|client] file_prefix [server.crt server.key]"; exit 1 ;;
 esac
@@ -24,14 +25,10 @@ if ((doserver)); then
    echo 1
    openssl genrsa -out $cakey 4096
    echo 2
-   echo '
-
-
-
-
-   localhost
-
-   ' | openssl req -nodes -new -x509 -days 365 -key $cakey -out $cacrt
+   openssl req -nodes -new -x509 -days 365 -key $cakey -out $cacrt \
+      -subj "/C=US/ST=UT/O=breel/CN=${host}" \
+       -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf \
+      <(printf "\n[SAN]\nsubjectAltName=DNS:${host},DNS:*.${host}"))
 fi
 
 if ((doclient)); then
@@ -41,19 +38,15 @@ if ((doclient)); then
    echo 3
    openssl genrsa -out $clientkey 4096
    echo 4
-   echo '
+   openssl req -nodes -new -key $clientkey -out $clientcsr \
+      -subj "/C=US/ST=UT/O=breel/CN=${host}" \
+       -reqexts SAN -extensions SAN -config <(cat /etc/ssl/openssl.cnf \
+      <(printf "\n[SAN]\nsubjectAltName=DNS:${host},DNS:*.${host}"))
 
-
-
-
-   localhost
-
-
-
-   ' | openssl req -nodes -new -key $clientkey -out $clientcsr
    # self-signed
    echo 5
-   openssl x509 -req -days 365 -in $clientcsr -CA $cacrt -CAkey $cakey -set_serial 01 -out $clientcrt
+   openssl x509 -req -days 365 -in $clientcsr -CA $cacrt -CAkey $cakey \
+      -set_serial 01 -out $clientcrt
 fi
 
 if ((doserver)); then