2.3. Create a non root Certification Authority Certificate.
FIXME because I'm not sure about the procedure.
It is possible to use any signed certificate to sign any other certificate, provided that the certificate is valid and has been issued with the signing capability. So you can create a certificate request and a private key, make the certificate been signed by a third party and install the signed certificate and private key. The part -PRIVATE KEY- goes into private/cakey.pem while the part -CERTIFICATE- goes into cacert.pem.