Generate a Private Key for the CA

openssl genrsa -out ca.key 2048

Create a Certificate Signing Request (CSR) for the CA

openssl req -new -x509 -days 365 -key ca.key -out ca.crt -subj "/C=CZ/ST=CZ/L=Prague/O=My CA/OU=CA/CN=My CA"

Generate a Private Key for the Server

openssl genrsa -out server.key 2048 

Create a CSR for the Server

openssl req -new -key server.key -out server.csr -subj "/C=CZ/ST=CZ/L=Prague/O=My Organization/OU=Server/CN=my.domain.com"

Sign the Server’s CSR with the CA (requires a CA directory layout: new_certs_dir, database, serial in your openssl.cnf, or use a minimal config with -config):

openssl ca -in server.csr -out server.crt -key ca.key -cert ca.crt -days 365

Alternatively, sign without a full CA setup: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365