This doc shows you how to create a self-signed CA cert and sign new certificate.
generate RSA private keys for CA
openssl genrsa -out ca.key 2048
generate self-signed CA cert (input the fields in prompt)
openssl req -new -x509 -key ca.key -out ca.crt
generate RSA private keys for cert
openssl genrsa -out larry.key 2048
prepare a CSR for certificate
openssl req -new -key larry.key -out larry.csr
sign the cert
openssl x509 -days 60 -CAkey ca.key -CA ca.crt -req -in larry.csr -out larry.crt
The client might use client certificate to authenticate itself.
openssl verify -CAfile ca.crt larry.crt
It's possible to generate the CSR from the existing cert
openssl x509 -x509toreq -signkey ca.key -in ca.crt -out ca.csr
The CSR file can be viewed
openssl req -in ca.csr -noout -text