This way will work with Nginx or any other reverse proxy server.

addext the feature requires OpenSSL the version to be equal or more 1.1.1:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
  -keyout hinty.key -out hinty.crt -subj "/CN=example.com" \
  -addext "subjectAltName=DNS:*.example.com,DNS:www.example.net,IP:10.0.0.1"

IP option allows to create certificate for IP domain (in most cases it is not recommended).

Most likely you don't need both DNS and IP, so can leave only one component or remove addext at all.

#ssl