How to issue a root certificate using `openssl req`?

The primary option is -x509: it forces the openssl req command to generate a root certificate instead of a certificate signing request:

openssl req \
	-days 99999 \
	-keyout .key \
	-new \
	-nodes \
	-out .crt \
	-sha256 \


-days n
When the -x509 option is being used this specifies the number of days to certify the certificate for.
The default is 30 days.

-keyout filename
This gives the filename to write the newly created private key to.

Normally, this option generates a new certificate request.
But in my case, it does not generate a new certificate request because I use -x509 alongside with -new.
In my case the -new option generates a new RSA private key because I do not use the -key option.
The private key is generated with the default length: 2048 bits.

If this option is specified then if a private key is created it will not be encrypted.

-out filename
This specifies the output filename to write to or standard output by default.

-sha256 (-digest)
This specifies the message digest to sign the request with (such as -md5, -sha1).
This overrides the digest algorithm specified in the configuration file.
Some public key algorithms may override this choice.
For instance, DSA signatures always use SHA1, GOST R 34.10 signatures always use GOST R 34.11-94 (-md_gost94).

This option outputs a self-signed certificate instead of a certificate request.
This is typically used to generate a test certificate or a self-signed root CA.
The extensions added to the certificate (if any) are specified in the configuration file.
Unless specified using the set_serial option, a large random number will be used for the serial number.