Verify that the openssl package is installed on your computer. Directly below, the three commands will locate the script which creates the files and directories needed to sign the cert, make a "scratch" directory then move to it:

$ find /usr -iname CA.sh

$ mkdir cert

$ cd cert

Generating the new CA certificate

Execute the "CA.sh" script. Follow the prompts, making sure to enter a personal name in the "CN" field:

$ /path-to/CA.sh -newca

CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
..++++++
.....++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Philadelphia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Johnny Rotten
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/./cakey.pem:

note
Remember the "pass phrase" entered - directly above - for the final step.

Making a new cert, key and cert request

With the following command, create a new RSA key and a new cert-request, which will be used for the cert-signing process:

$ openssl req -newkey rsa:2048 -keyout new.key -out new.csr -days 3650 -nodes

Generating a 2048 bit RSA private key
..........................+++
.............................+++
writing new private key to 'new.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Philadelphia
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Johnny Unrotten
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Signing the cert

With the following command, sign the cert. Follow the prompts. Make sure to enter a personal name in the "CN" field, different from the one that was entered during step 2:

$ openssl ca -out new.crt -infiles new.csr

Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
99:91:cb:2d:6f:ba:bc:7d
Validity
Not Before: Jun 11 15:27:16 2012 GMT
Not After : Jun 11 15:27:16 2013 GMT
Subject:
countryName = US
stateOrProvinceName =
organizationName = Internet Widgits Pty Ltd
commonName = Johnny Rotten
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:

Testing the new cert and key

To test your cert and key, the following commands may be used.

Read an RSA key
$ openssl rsa -in key
Read a DSA key
$ openssl dsa -in key
Read an X.509 fingerprint
$ openssl x509 -in cert -fingerprint
Read an X.509 subject (CN)
$ openssl x509 -in cert -subject

note

For the SSL adventurous, here is a script, which will perform the previous (and many more tests) on certs.