openssl genrsa -aes256 -out ROOT_CA.key 2048
openssl req -key ROOT_CA.key -new -x509 -days 7300 -sha256 -out ROOT_CA.pem
openssl genrsa -aes256 -out Intermediate.key.pem 2048
openssl req -addext basicConstraints=critical,CA:TRUE -new -sha256 -key Intermediate.key.pem -out Intermediate.csr.pem
openssl req -verify -in Intermediate.csr.pem -text -noout
mkdir demoCA
touch demoCA/index.txt
echo 1122334455667788 > demoCA/serial
openssl ca -policy policy_anything -extensions v3_ca -days 3650 -outdir . -cert ROOT_CA.pem -keyfile ROOT_CA.key -in Intermediate.csr.pem -out Intermediate.crt
openssl x509 -in Intermediate.crt -noout -text
openssl verify -CAfile ROOT_CA.pem Intermediate.crt
openssl genrsa -aes256 -out DEVICE_XXX.key.pem 2048
This is ideal for IoT devices because it gives the security of 2048 in 256 bit of randomness with low compute power
openssl ecparam -name secp384r1 -genkey -noout -out secp384r1.pem
openssl req -new -sha256 -key DEVICE_XXX.key.pem -out DEVICE_XXX.csr.pem
openssl ca -days 3650 -outdir . -cert Intermediate.crt -keyfile Intermediate.key.pem -in DEVICE_XXX.csr.pem -out DEVICE_XXX.crt
openssl verify -CAfile ROOT_CA.pem -untrusted Intermediate.crt DEVICE_XXX.crt
openssl x509 -outform pem -in DEVICE_XXX.crt -out DEVICE_XXX.pem