From my understanding, you use CA's private key to sign a CSR, but why all openssl CSR signing commands need to specify CA cert when signing a CSR like below:
openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
