2024-12-31-cas

 openssl req -new -subj "/C=GB/CN=foo" \
                  -addext "subjectAltName = DNS:foo.co.uk" \
                  -addext "certificatePolicies = 1.2.3.4" \
                  -newkey rsa:2048 -keyout key.pem -out req.pem

After giving it some thought, it is bad idea to store "permissions" in the certificate. This is because, you can't change permissions on a certificate after it has been issued. You will need to re-issue the certificate.

Maybe, it would be better, to only store the identity, and use a permissions file either statically or on a server, to figure out if they are authorized to perform that action.

That way, if you need to change permissions, you change the static file, or better, you change a permissions (authorization) server.