I’m finding one of the commands I run while debugging certificate generation and tweaks is:
openssl x509 -in-text
This displays the complete content of a cert, allowing looking inside to verify alt_names, etc, and verify that the generated certificate then works.
— doug