I used to used openssl but I switched to Step for this purpose :
https://smallstep.com/certificates/
It runs in docker, certificates generation is easy and the cherry on top: it can be used with Acme clients. All my internal services use it via traefik, new certificates are generated with no intervention whatsoever from my parts.