create root private key with password protected:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out root.key 

show private key info:

openssl pkey -in root.key -text -noout 

generate pub key:

openssl pkey -in root.key -pubout -out root-public.key

resign from existing root certificate:

openssl x509 -in old-root-cert.crt -out new-root-cert.crt -signkey root.key -days 3650 -copy_extensions copyall

create the CSR from config file:

openssl req -new -config fd.cnf -key fd.key -out fd.csr

creating CSRs from existing certificates:

openssl x509 -x509toreq -in intermediate-cert.crt -out intermediate-cert.csr -signkey intermediate.key -copy_extensions copyall

resign intermediate certificate from CSR:

openssl x509 -req -in intermediate-cert.csr -CA new-root-cert.crt -CAkey intermediate.key -CAcreateserial -out new-intermediate-cert.crt -copy_extensions copyall -days 3650

sign root CA with new private key:

openssl x509 -in root-certe.crt -signkey root.key -days 3650