openssl genrsa -out root.key
I do not encrypt it because I will use this key only to build a certificates chain of trust for my workstation.
To encrypt the key, you can add the
These options encrypt the private key with specified cipher before outputting it. If none of these options is specified no encryption is used. If encryption is used a pass phrase is prompted for if it is not supplied via the -passout argument.