There are a few different ways to do this, but one of the easier ways is to use the CA.pl script that's typically bundled with openssl.

Its location will vary depending on what distribution you run. Use locate or check the common places, such as /etc/ssl/misc or /usr/share/ssl/misc.

Once found, use it like so.

Generate CA Certificate

This is the master certificate/key. The CA key is used to sign CSRs to create new certificates, and the CA cert can be distributed with these new certificates so their authenticity can be verified.

First change to a new directory where your CA files can live. Then generate the CA key and cert:

CA.pl -newca

Generate a Certificate Signing Request (CSR)

In the same directory you started in, generate the CSR:

CA.pl -newreq

Fill out all the questions and you'll end up with a newreq.pem file containing a key and a CSR.

Sign the CSR with your CA key

CA.pl -sign

Enter the password for your CA key when asked, and it should do the rest, leaving you with a newcert.pem.

Extract the key from your CSR PEM

Often you need the key in a password-less form so you can use it in non-interactive daemon programs. To extract your key from newreq.pem in a password-less format, run this:

openssl rsa <newreq.pem >newkey.pem

Your key now lives in newkey.pem. Rename all these files as you see fit.