I followed the instructions on these pages:
The commands to run are:
openssl genrsa -out serverkey.pem openssl req -new -key serverkey.pem -out newreq.pem -days 365 cat newreq.pem serverkey.pem > new.pem openssl ca -config /etc/domtool/openssl.conf -policy policy_anything -out servercert.pem -infiles new.pem
replacing serverkey.pem and servercert.pem with appropriate names for your new key and certificate, respectively. The change I made from the cited source is to include the -config flag to reference the modified config file obtained from the page about creating a CA.
Once I figure out the final directory layout, there will be instructions here on where to put these files once they're created.