Create a CA root
-
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Create a client key and CSR
openssl genrsa -des3 -out client.key 4096openssl req -new -key client.key -out client.csropenssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key \
-set_serial 01 -out client.crt
Convert to PKCS, for installing in browsers
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Convert to combined PEM, for use with OpenSSL
openssl pkcs12 -in client.p12 -out client.pem -clcerts
Nginx config
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional; # or `on` if you require client key
