Just looking at the example script contrib/scripts/ast_tls_cert
in the source tree, and noting that the procedure for creating and signing certificates is much simpler with the command-line tools available with OpenSSL 3.0, which came out about 16 months ago. Having created your CA cert, you can create and sign a user (subject?) cert with a single command, without needing to set up a config file or go through the cert-request step. This is using the new “micro-CA” mode, e.g.
openssl req -new \
-subj "/C=NZ/ST=Waikato/L=Hamilton/O=MegaCorp Inc/OU=Staff/CN=Server" \
-newkey rsa:2048 -nodes \
-CA test-ca.crt -CAkey test-ca.key -days 90 \
-keyout server.key -out server.crt
Of course, I accept that lots of people will still be using OpenSSL 1.1.x …