Create your own simple PKI!
I've been using a light fork of https://github.com/Evolix/shellpki. (My version is 94 lines tho). However go1.15+ doesn't work out of the box because (my?) shellpki doesn't create Subject Alt Name (SAN). I didn't find how to do it with openssl(1) (who doesn't love using this delightful software). Other software to create a PKI are beasts (cloudflare/cfssl is like 50k without counting vendored lib).
I don't need all these 'enterprise' features so I wrote my own.
The key aren't encrypted since the only way to do it is deprecated. For this reason, the CA key isn't written to disk. The program outputs the key to stdout so the user can save it in their favorite password manager. When signing a new certificate, the CA's key will be required through a prompt.
$ ./gopki -h
Usage of ./gopki:
-create
Create a new certificate (and sign it)
-domain string
Domain for the certificate or the CA
-init
Initialize a new PKI
gopki -init -domain ca.chown.me
gopki -create -domain bleh.chown.me