create root private key with password protected:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out root.key 

create root private key with password protected:

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -aes-128-cbc -out root.key 

show private key info:

openssl pkey -in root.key -text -noout 

generate pub key:

openssl pkey -in root.key -pubout -out root-public.key

creating root CSR from existing root cert:

openssl x509 -x509toreq -in root.crt -out root.csr -signkey root.key -copy_extensions copyall

generate new root cert:

openssl x509 -req -in root.csr -out new-root.crt -signkey root.key -days 3650 -copy_extensions copyall

creating CSRs from existing intermediate cert:

openssl x509 -x509toreq -in intermediate.crt -out intermediate.csr -signkey intermediate.key -copy_extensions copyall

resign intermediate certificate from CSR with root CA:

openssl x509 -req -in intermediate.csr -CA new-root.crt -CAkey root.key -CAcreateserial -out new-intermediate.crt -copy_extensions copyall -days 3650

creating CSRs from existing domain cert:

openssl x509 -x509toreq -in domain.crt -out domain.csr -signkey domain.key -copy_extensions copyall

resign domain certificate from CSR with intermediate CA:

openssl x509 -req -in domain.csr -CA new-intermediate.crt -CAkey intermediate.key -CAcreateserial -out new-domain.crt -copy_extensions copyall -days 3650

sign root CA with new private key:

openssl x509 -in root.crt -signkey root.key -days 3650