you'll need a certificate signing request to sign. have whoever you want to sign a cert for make a csr and send it to you.
openssl req -newkey rsa:4096 -noenc -keyout meow.key -out meow.csr -subj '/CN=meow.example.com'
then the signing request can be signed to produce a certificate. note
that openssl will not copy over extensions from the csr by default,
so add them in with -addext.
openssl req -CAkey my-ca.key -CA my-ca.pem -addext basicConstraints=critical,CA:FALSE -addext 'subjectAltName=DNS:meow.example.com' -in meow.csr -out meow.pem
out pops the signed certificate!