Assumption
The target host to generate the certificate has an IP address of 192.168.2.10 and using IP address as the CN instead of hostname. i.e. Clients will access the target server by IP address instead of hostname.
Check location of Open SSL conf
openssl version -d
Generate private key
cd /etc/httpd/ssl
sudo openssl genrsa -des3 -out server.key 2048
Ensure that default SSL configuration is used
export OPENSSL_CONF=/etc/pki/tls/openssl.cnf
Generate Certificate Signing Request (With IP Address)
openssl req -new -sha256 -key server.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=192.168.2.10" -reqexts SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:192.168.2.10,IP:192.168.2.10")) -extensions v3_ca -out server.csr
Generate Certificate Signing Request
sudo openssl req -new -key server.key -out server.csr
Fill in the fields
Remove passphrase from the key
cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key
Sign with root CA (On the Root CA Server). Change the Hostname, DNS, IP in the subjectAltName of the server sending the signing request.
export OPENSSL_CONF=/etc/httpd/ssl/root-ca/root-ca.cnf
cd /etc/httpd/ssl/root-ca
openssl x509 -req -days 1024 -in ./../server.csr -CA root-ca.cert.pem -CAkey ./private/root-ca.key.pem -CAcreateserial -extfile <(printf "subjectAltName=DNS:192.168.2.10,IP:192.168.2.10") -out ./../server.crt -sha256