create a root CA,

cp -pi /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf.dist
vi /etc/ssl/openssl.cnf

[ CA_default ]

dir             = ./            # Where everything is kept
new_certs_dir   = $dir         # default place for new certs.

eventually be quick and dirty,

[policy_match]
countryName= optional
stateOrProvinceName= optional
organizationName= optional
organizationalUnitName= optional
commonName= supplied
emailAddress= optional

[ req_distinguished_name ]
*_default= ...

#already exists on both ubuntu and slackware
#mkdir private/

#but perms are fucked up
chmod 700 private/

openssl genrsa -aes256 -out private/cakey.pem 4096
chmod 400 private/cakey.pem

openssl req -key private/cakey.pem -new -x509 -days 7300 -sha256 -out cacert.pem
chmod 444 cacert.pem

openssl x509 -noout -text -in cacert.pem

generate a server CSR,

cn=HOSTNAME-OR-FQDN

openssl genrsa -aes256 -out private/$cn.key 2048
chmod 400 private/$cn.key

openssl req -key private/$cn.key -new -sha256 -out $cn.csr
chmod 400 $cn.csr

sign the request with your root CA,

touch index.txt
echo 01 > serial

openssl ca -days 375 -notext -md sha256 -in $cn.csr -out $cn.crt
chmod 444 $cn.crt

tail -1 index.txt

openssl x509 -noout -text -in $cn.crt
openssl verify -CAfile cacert.pem $cn.crt

unset cn

Refs.