To replace the default certificates with certificates signed by your own local CA, you must create a root CA.

The root CA’s certificate must then be installed in any client systems that will connect to the managed hosts. Assuming you use the same root CA key to sign all the CSRs, you will have only one root CA certificate to install in the Windows clients.

Create a new root CA and an RSA key using OpenSSL. For example:

C:\OpenSSL\bin>openssl req -new -x509 -extensions v3_ca -keyout myroot.key -out myroot.crt -days 3650 -config openssl.cnf