To begin with, you need to generate the root CA key (this is what signs all issued certs):
openssl genrsa -out rootCA.key 2048
Generate the self-signed (with the key previously generated) root CA certificate:
openssl req -x509 -new -nodes -key rootCA.key -days 365 -out rootCA.crt
You can install this on all machines that will be communicating with services using SSL certificates generated by this root certificate. Typically, you'll want to install this on all of the servers on your internal network.
Once you have the root CA certificate generated, you can use that to generate additional SSL certificates for other sites and services (e.g., Jenkins, internal web services or sites, etc).
To create an SSL certificate you can use for one of your services, the first step is to create a certificate signing request (CSR). To do that, you need a key (separate from the root CA key you generated earlier). To generate a key, run the following:
openssl genrsa -out host.key 2048
Now a CSR can be generated:
openssl req -new -key host.key -out host.csr
Make sure the Common Name (CN) is set to the FQDN, hostname or IP address of the machine you're going to put this on.
The next step is to take a CSR and generate a signed certificate using the root CA certificate and key you generated previously.
openssl x509 -req -in host.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out host.crt -days 365
Now you have an SSL certificate (in PEM format) called host.crt
. This is the certificate you want your services to use.