[root@centos6 tmp]# 
[root@centos6 tmp]# openssl genrsa -aes256 -passout pass:Passw0rd-svr -out www.xyz.com.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................+++
.....................................................................................+++
e is 65537 (0x10001)
[root@centos6 tmp]# 
[root@centos6 tmp]# ls -l
total 36
-rw-r--r--. 1 root root 1635 Jul 31 02:15 TrustMe_ICA.crt
-rw-r--r--. 1 root root 1074 Jul 31 02:13 TrustMe_ICA.csr
-rw-r--r--. 1 root root  457 Jul 31 02:15 TrustMe_ICA.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:12 TrustMe_ICA.key
-rw-r--r--. 1 root root   17 Jul 31 02:32 TrustMe_ICA.srl
-rw-r--r--. 1 root root 1590 Jul 31 02:04 TrustMe_RCA.crt
-rw-r--r--. 1 root root 1766 Jul 31 02:03 TrustMe_RCA.key
-rw-r--r--. 1 root root   17 Jul 31 02:15 TrustMe_RCA.srl
-rw-r--r--. 1 root root 1766 Jul 31 02:33 www.xyz.com.key
[root@centos6 tmp]# 
[root@centos6 tmp]# openssl req -new -sha256 -key www.xyz.com.key -out www.xyz.com.csr
Enter pass phrase for www.xyz.com.key: Passw0rd-svr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SG
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Singapore
Organization Name (eg, company) [Default Company Ltd]:XYZ Pte. Ltd.
Organizational Unit Name (eg, section) []:IT Division
Common Name (eg, your name or your server's hostname) []:www.xyz.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos6 tmp]# 
[root@centos6 tmp]# ls -l
total 40
-rw-r--r--. 1 root root 1635 Jul 31 02:15 TrustMe_ICA.crt
-rw-r--r--. 1 root root 1074 Jul 31 02:13 TrustMe_ICA.csr
-rw-r--r--. 1 root root  457 Jul 31 02:15 TrustMe_ICA.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:12 TrustMe_ICA.key
-rw-r--r--. 1 root root   17 Jul 31 02:32 TrustMe_ICA.srl
-rw-r--r--. 1 root root 1590 Jul 31 02:04 TrustMe_RCA.crt
-rw-r--r--. 1 root root 1766 Jul 31 02:03 TrustMe_RCA.key
-rw-r--r--. 1 root root   17 Jul 31 02:15 TrustMe_RCA.srl
-rw-r--r--. 1 root root 1001 Jul 31 02:35 www.xyz.com.csr
-rw-r--r--. 1 root root 1766 Jul 31 02:33 www.xyz.com.key
[root@centos6 tmp]# 
[root@centos6 tmp]# vi www.xyz.com.ext
[root@centos6 tmp]# 
[root@centos6 tmp]# ls -l
total 44
-rw-r--r--. 1 root root 1635 Jul 31 02:15 TrustMe_ICA.crt
-rw-r--r--. 1 root root 1074 Jul 31 02:13 TrustMe_ICA.csr
-rw-r--r--. 1 root root  457 Jul 31 02:15 TrustMe_ICA.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:12 TrustMe_ICA.key
-rw-r--r--. 1 root root   17 Jul 31 02:32 TrustMe_ICA.srl
-rw-r--r--. 1 root root 1590 Jul 31 02:04 TrustMe_RCA.crt
-rw-r--r--. 1 root root 1766 Jul 31 02:03 TrustMe_RCA.key
-rw-r--r--. 1 root root   17 Jul 31 02:15 TrustMe_RCA.srl
-rw-r--r--. 1 root root 1001 Jul 31 02:35 www.xyz.com.csr
-rw-r--r--. 1 root root  359 Jul 31 02:35 www.xyz.com.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:33 www.xyz.com.key
[root@centos6 tmp]# 
[root@centos6 tmp]# cat www.xyz.com.ext
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1   = www.xyz.com
DNS.2   = partners.xyz.com
DNS.3   = downloads.xyz.com
[root@centos6 tmp]# 
[root@centos6 tmp]# openssl x509 -req -in www.xyz.com.csr -CA TrustMe_ICA.crt -CAkey TrustMe_ICA.key -CAcreateserial -out www.xyz.com.crt -days 730 -sha256 -extfile www.xyz.com.ext
Signature ok
subject=/C=SG/L=Singapore/O=XYZ Pte. Ltd./OU=IT Division/CN=www.xyz.com
Getting CA Private Key
Enter pass phrase for TrustMe_ICA.key: Passw0rd-ic@
[root@centos6 tmp]# 
[root@centos6 tmp]# ls -l
total 48
-rw-r--r--. 1 root root 1635 Jul 31 02:15 TrustMe_ICA.crt
-rw-r--r--. 1 root root 1074 Jul 31 02:13 TrustMe_ICA.csr
-rw-r--r--. 1 root root  457 Jul 31 02:15 TrustMe_ICA.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:12 TrustMe_ICA.key
-rw-r--r--. 1 root root   17 Jul 31 02:36 TrustMe_ICA.srl
-rw-r--r--. 1 root root 1590 Jul 31 02:04 TrustMe_RCA.crt
-rw-r--r--. 1 root root 1766 Jul 31 02:03 TrustMe_RCA.key
-rw-r--r--. 1 root root   17 Jul 31 02:15 TrustMe_RCA.srl
-rw-r--r--. 1 root root 1529 Jul 31 02:36 www.xyz.com.crt
-rw-r--r--. 1 root root 1001 Jul 31 02:35 www.xyz.com.csr
-rw-r--r--. 1 root root  359 Jul 31 02:35 www.xyz.com.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:33 www.xyz.com.key
[root@centos6 tmp]# 
[root@centos6 tmp]# cat TrustMe_ICA.srl
B404FCDA012A3FF0
[root@centos6 tmp]# 

[root@centos6 tmp]# 
[root@centos6 tmp]# cat /var/tmp/TrustMe_RCA.crt <(echo -e \\r) /var/tmp/TrustMe_ICA.crt > /var/tmp/TrustMe_CA-bundle.crt
[root@centos6 tmp]# 
[root@centos6 tmp]# ls -l
total 52
-rw-r--r--. 1 root root 3227 Jul 31 02:49 TrustMe_CA-bundle.crt
-rw-r--r--. 1 root root 1635 Jul 31 02:15 TrustMe_ICA.crt
-rw-r--r--. 1 root root 1074 Jul 31 02:13 TrustMe_ICA.csr
-rw-r--r--. 1 root root  457 Jul 31 02:15 TrustMe_ICA.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:12 TrustMe_ICA.key
-rw-r--r--. 1 root root   17 Jul 31 02:36 TrustMe_ICA.srl
-rw-r--r--. 1 root root 1590 Jul 31 02:04 TrustMe_RCA.crt
-rw-r--r--. 1 root root 1766 Jul 31 02:03 TrustMe_RCA.key
-rw-r--r--. 1 root root   17 Jul 31 02:15 TrustMe_RCA.srl
-rw-r--r--. 1 root root 1529 Jul 31 02:36 www.xyz.com.crt
-rw-r--r--. 1 root root 1001 Jul 31 02:35 www.xyz.com.csr
-rw-r--r--. 1 root root  359 Jul 31 02:35 www.xyz.com.ext
-rw-r--r--. 1 root root 1766 Jul 31 02:33 www.xyz.com.key
[root@centos6 tmp]# 
[root@centos6 tmp]# openssl verify -purpose sslserver -CAfile /var/tmp/TrustMe_CA-bundle.crt /var/tmp/www.xyz.com.crt
/var/tmp/www.xyz.com.crt: OK
[root@centos6 tmp]#