Are you trying to create the SSL key certificate chain for the superb KACE K3000 ?
Use this short guide. Disclaimer; I found most of it on the web, but has made some alterations to handle the 2014+ security.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
openssl x509 -in ca.crt -out ca.pem
openssl genrsa -des3 -out ca-int_encrypted.key 4096
openssl rsa -in ca-int_encrypted.key -out ca-int.key
openssl req -new -key ca-int.key -out ca-int.csr -subj “/CN=ca-int@acme.com”
openssl x509 -req -days 1825 -in ca-int.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out ca-int.crt

openssl genrsa -des3 -out server_encrypted.key 4096
openssl rsa -in server_encrypted.key -out server.key
openssl req -new -key server.key -out server.csr -subj “/CN=server@acme.com”
openssl x509 -req -days 1825 -in server.csr -CA ca-int.crt -CAkey ca-int.key -set_serial 01 -out server.crt

Remember to replace server@acme.com and ca-int@acme.com with your fully qualified servername. This worked for me for creating a KACE demo environment with K1000 + K2000 + K3000 chained together.