[ ca ]
default_ca = CA_default
 
[ CA_default ]
dir               = ./myCA              # Location of the CA certificate and private key
database          = $dir/myCAindex      # Database index file
new_certs_dir     = $dir/newcerts       # Directory where new certs are stored
certificate       = $dir/ca.crt         # The CA certificate
private_key       = $dir/ca.key         # The CA private key
default_md        = sha256              # Default digest method
preserve          = no                  # Keep existing certificates (yes/no)
policy            = policy_any          # Default policy for issuing certificates
 
[ policy_any ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = required
emailAddress            = optional

# create private key
openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
# create certificate for private key
openssl req -new -key server.key -out server.csr
# sign with CA (see configuration)
openssl ca -in server.csr -out server.crt -config openssl.cnf
# view cert
openssl ca -in server.csr -out server.crt -config openssl.cnf