Create your own CA certificate authority to sign SSL

mkdir -p root-ca/{conf,private,public}
chmod 600 root-ca/private/
cd root-ca/
mkdir signed-keys
echo "01" > conf/serial
touch conf/index

Create a new file in root-ca/conf/openssl.cnf with the following content

[ req ]default_bits            = 2048
default_keyfile         = ./private/root.pem
default_md              = sha256
prompt                  = no
distinguished_name      = root_ca_distinguished_name
x509_extensions = v3_ca

[ root_ca_distinguished_name ]
countryName             = CA
stateOrProvinceName     = Quebec
localityName            = Brighton
0.organizationName      = Example Inc
commonName              = Example Inc Root CA
emailAddress            = frank@example.com

[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

[ ca ]
default_ca              = CA_default

[ CA_default ]
dir                     = .
new_certs_dir           = ./signed-keys/
database                = ./conf/index
certificate             = ./public/root.pem
serial                  = ./conf/serial
private_key             = ./private/root.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_crl_days        = 30
default_days            = 365
default_md              = sha256
preserve                = no
policy                  = policy_match

[ policy_match ]
countryName             = optional
stateOrProvinceName     = optional
organizationName        = optional
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[ usr_cert ]
basicConstraints=CA:FALSE
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer:always
nsCaRevocationUrl     = https://www.example.com/example-ca-crl.pem

# create root certificate CA
openssl req  -nodes -config conf/openssl.cnf -days 1825 -x509 -newkey rsa:1024 -out public/root.pem -outform PEM

Be sure that your openssl.cnf specifies the default_md = sha256 or better. If sha1 is used, you will get errors in Chrome such as

Congratulation your root certificate is done! The next steps are how to process Certificate Signing Requests (.csr files).

First Inspect the certificate signing request to see for which HOST it is for

$> openssl req -in ~/client.csr -noout -text

Then sign the certificate

$> openssl ca -batch -config conf/openssl.cnf -in ~/client.csr -out client-signed.cert

All this for this !