openssl req -newkey rsa:2048 \
  -x509 \
  -nodes \
  -keyout niepi.localhost.key \
  -new \
  -out niepi.localhost.crt \
  -subj '/CN=*.niepi.localhost' \
  -reqexts SAN \
  -extensions SAN \
  -config <(cat /System/Library/OpenSSL/openssl.cnf \
      <(printf '[SAN]\nsubjectAltName=DNS:*.niepi.localhost')) \
  -sha256 \
  -days 720