Create a server certificate
(for use with your HTTPS server, for example):
sudo mkdir /etc/apache2/ssl
Just make sure to use a password everywhere it asks for one. This seems to be necessary at least for the client certificate we'll create below if you use it in OS X.
Create the server key:
sudo openssl genrsa -out server.key 2048
Create the server's certificate request. You would send this to an official Certificate Authority (CA) if you wanted to have an official certificate instead of the self-signed certificate that we will generate here.
sudo openssl req -new -key server.key -out server.csr
Create the server certificate itself. You can use this one for your HTTPS site.
sudo openssl x509 -req -days 3652 -in server.csr -signkey server.key -out server.crt
Create a 'CA' certificate. We'll need this one to create a properly signed client certificate.
sudo openssl x509 -req -in server.csr -extfile /etc/ssl/openssl.cnf -extensions v3_ca -signkey server.key -out CAserver.crt
Create a client certificate
Create the client key:
sudo openssl genrsa -out user.key 2048
Create the server's certificate request.
sudo openssl req -new -key user.key -out user.csr
Create the client certificate signed with the 'CA' certificate we created above.
sudo openssl x509 -req -days 3652 -in user.csr -extfile /etc/ssl/openssl.cnf -extensions usr_cert -CA CAserver.crt -CAkey server.key -CAcreateserial -out user.crt
Create a PKCS#12 version of the certificate for use on the user system.
sudo openssl pkcs12 -export -in user.crt -inkey user.key -out user.p12
Just import this p12 file in your certificate manager (Key Chain in OS X).