Creating a private CA can be useful if you have a lot of services encrypting data for internal use but don’t need the domain to be verified by a public CA like Verisign, Thawte etc.

By importing the CA to all computers that will use these services users won’t get the a popup in IE and Firefox saying that the certificate is invalid.

Create a private key for your CA:

openssl genrsa -des3 -out ca.key 4096

You will need to enter passphrase.

This password will be used everytime you sign a certificate with this CA.