自签名CA证书并签发子证书

Create the Root Certificate (Done Once)

Create the Root Key
openssl genrsa -out rootCA.key 2048
openssl ecparam -out rootCA.key -name prime256v1 -genkey //ECC

You can also create a key that is password protected by adding -des3:
openssl genrsa -des3 -out rootCA.key 2048

The next step is to self-sign this certificate root.
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 7300 -out rootCA.pem

Install Root Certificate Into Workstations

Create A Certificate (Done Once Per Device)

Every device that you wish to install a trusted certificate will need to go through this process. First, just like with the root CA step, you’ll need to create a private key (different from the root CA).
openssl genrsa -out somedomain.key 2048

Once the key is created, you’ll generate the certificate signing request.
openssl req -new -key somedomain.key -out somedomain.csr
openssl ecparam -out somedomain.key -name prime256v1 -genkey //ECC

You’ll be asked various questions (Country, State/Province, etc.). Answer them how you see fit. The important question to answer though is common-name.
Common Name (eg, YOUR name) []: 10.0.0.1 must the same with your domain or sub-domain.

Whatever you see in the address field in your browser when you go to your device must be what you put under common name, even if it’s an IP address. Yes, even an IP (IPv4 or IPv6) address works under common name. If it doesn’t match, even a properly signed certificate will not validate correctly and you’ll get the “cannot verify authenticity” error. Once that’s done, you’ll sign the CSR, which requires the CA root key.
openssl x509 -req -in somedomain.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out somedomain.crt -days 3650 -sha256
X509 V3 with SAN, [missing_subjectAltName] will be issue in Chome 58;
openssl x509 -req -in somedomain.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out somedomain.crt -days 3650 -sha256 -extfile v3.ext

v3.ext file include these:

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = somedomain.com
DNS.2 = *.somedomain.com