Usage: octopize-deploy-tool tasks create-self-signed-cert [-h] --domain DOMAIN
                                                          [--output-dir DIR]
                                                          [--valid-days DAYS]
                                                          [--ip-address IP]

Generate a self-signed X.509 TLS certificate (issuer == subject) with a
SubjectAlternativeName (SAN) extension for the given domain and write
fullchain.crt and server.key to the output directory.

Optionally, one or more IP addresses can be embedded as IPAddress SAN entries
alongside the DNS name — useful when clients connect by IP rather than hostname.

The certificate is valid for 365 days by default and uses a 2048-bit
RSA key. Files are written with standard permissions (cert: 0644, key: 0600).

Example:
  octopize-deploy-tool tasks create-self-signed-cert \
      --domain avatar.company.com \
      --output-dir /etc/nginx/certs

With an IP SAN:
  octopize-deploy-tool tasks create-self-signed-cert \
      --domain avatar.company.com \
      --ip-address 192.168.1.10 \
      --output-dir /etc/nginx/certs

Options:
  -h, --help         show this help message and exit
  --domain DOMAIN    DNS hostname to embed as CN and SAN, e.g.
                     avatar.company.com
  --output-dir DIR   Directory to write fullchain.crt and server.key (default:
                     current directory; created if it does not exist)
  --valid-days DAYS  Certificate validity period in days (default: 365)
  --ip-address IP    IP address (IPv4 or IPv6) to add as an IPAddress SAN
                     entry. May be repeated to include multiple addresses,
                     e.g. --ip-address 192.168.1.10 --ip-address ::1
