You can create a certificate signing request in the same way as a root certificate, but skipping the -x509 and -days options:
openssl req \
-keyout .key \
-new \
-nodes \
-out .csr \
-sha256
I left «challenge password» and «optional company name» blank.