Custom CA using OpenSSL

Generate a Private Key for the CA:

openssl genrsa -out ca.key 2048

Create a self-signed root certificate for the CA (the -x509 flag outputs a certificate, not a CSR):

openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=CZ/ST=CZ/L=Prague/O=My CA/OU=CA/CN=My CA"

Generate a Private Key for the Server:

openssl genrsa -out server.key 2048

Create a CSR for the Server:

openssl req -new -key server.key -out server.csr -subj "/C=CZ/ST=CZ/L=Prague/O=My Organization/OU=Server/CN=my.domain.com"

Sign the Server’s CSR with the CA (requires a CA directory layout: new_certs_dir, database, serial in your openssl.cnf, or use a minimal config with -config):

openssl ca -in server.csr -out server.crt -keyfile ca.key -cert ca.crt -days 365

Alternatively, sign without a full CA setup:

openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365