1. Create a private key (as Root CA Key), keep this very private
2. Self-sign a root certificate
3. Install root CA on your various workstations
4. Create a CSR(Certificate Signing Request) for each of your authorized needed circumstances(device, server, client, etc.)
5. Sign CA with root CA Key

```
# generate a signing key


openssl genrsa -des3 -out rootCA.key 2048


# request a root certificate
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

#DO NOT forget to validate root cert on macos keychain


# Create a key and csr

# request new key from a config file
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )


# Sign them with the rootkey
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext
```

# server.csr.cnf
```
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=US
ST=RandomState
L=RandomCity
O=RandomOrganization
OU=RandomOrganizationUnit
emailAddress=hello@example.com
CN = localhost
```

# v3.ext
```
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
```