openssl req -x509 -newkey rsa:2048 -out ca.crt -keyout ca.key -days 1000
echo 01 > ca.srl
touch ca.idx
mkdir signed
cat << EOF >> ca.cnf
[ ca ]
default_ca             = ca_default

[ ca_default ]
certificate            = ca.crt
private_key            = ca.key
serial                 = ca.srl
database               = ca.idx
new_certs_dir          = signed
default_md             = default
policy                 = policy_ipxe
preserve               = yes
default_days           = 90
unique_subject         = no

[ policy_ipxe ]
commonName             = ipxe.ca
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = optional
emailAddress            = optional

[ cross ]
basicConstraints       = critical,CA:true
keyUsage               = critical,cRLSign,keyCertSign

[ codesigning ]
keyUsage                = digitalSignature
extendedKeyUsage        = codeSigning
EOF

openssl req -newkey rsa -keyout codesign.key -out codesign.req
openssl ca -config ca.cnf -extensions codesigning -in codesign.req -out codesign.crt