https://www.bounca.org/ looks like a nice project with a very clean approach to managing the most common type of certs with a custom root CA and intermediate CAs. Just reading that code should create quite a solid understanding of what actually goes into the certs (without needing to deal with openssl.cnf
files).