Note: Since I believe that sudo it's evil (contact me fore more info about it) I'm not going to assume that all the commands are run as root, ese at your own risk. Remember, with great powers...
In this part we will egnerate the key and the certificate for the CA, that are going to be used asto issue the device certificates.
Step 0. Move in a secure location: #: mkdir /root/certs/CA && cd /root/certs/CA
Step 1. Gen. CA Key: #: openssl genrsa -des3 -out rootCA.key 2048
Step 2. Gen. CA Certificate: #: openssl req -x509 -new -nodes -key rootCA.key -out rootCA.pem -days 3650
Step 2.5 Secure the Key and Certificate: #: chmod 400 rootCA.*
Now that you have created your Root CA certificate you should install it in all the machines that will need to accept the Device certificate that we're going to generate from now on.
We will now generate a certificate for a service that it's served by a web server via service1.example.com
Step 0. Move in a secure location: #: mkdir -p /etc/nginx/certs/service1 && cd /etc/nginx/certs/service1
Step 1. Generate a key for the certificate: openssl genrsa -out service1.key 2048
(you can optionally use the option -des3 to have a password)
Step 2. Generate the certificate request: openssl req -new -key service1.key -out service1.csr
You will be required to fill some fields, theremember that when you're prompted for the Common Name (CNAME) you MUST specify the correct FQDN of the service, which in our case it's: service1.example.com)
Step 3. Generate and sign the certificate using the root CA: openssl x509 -req -in service1.csr -CA /root/certs/CA/rootCA.pem -CAkey /root/certs/CA/rootCA.key -CAcreateserial -out service1.crt -days 730
Step 4. Use the certificate: You can now edit the config of your service spacifying to use the service1.key and service1.crt.
You now can simply repeat the generation of a certificate for each service you need. Remember that all the .key files should never leave your machine, keep them safe and secure, ecpecially the rootCA.key!