This is done only once. Created private key is the basis of all trust for all other certificates, so never ever let anyone see it.
openssl genrsa -out root.key 2048
To create the same key that is password protected, add -des3 flag.
openssl genrsa -des3 -out root.key 2048
Add root.pem to ca-certificates.crt file that is distributed in the
inftrastructure (attached to docker containers).
cat root.pem >> ca-certificates.crt
Sign the certificate. The entered data does not really matter, with one
exception. When asked for Common Name, provide something that does not sound
like a person, for example ACME Peanut Butter Jelly:
openssl req -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem
Create private key.
openssl genrsa -out x-service.key 2048
Generate certificate signing request. None of the answers matters, except for
one. Common Name must be the address of service that will use it, for example
echo.opinary.com.
openssl req -new -key x-service.key -out x-service.csr
Finally, sign with the root certificate:
openssl x509 -req -in x-service.csr -CA root.pem -CAkey root.key -CAcreateserial -out x-service.crt -days 356 -sha256