How to Create a Client Certificate with Configuration using OpenSSL

Mert Ilis
2 min readDec 3, 2020

In my previous post ( I’ve talked about creating a root CA certificate and a server certificate with extensions configuration. Now, I’ll continue with creating a client certificate that can be used for the mutual SSL connections.

In the following commands, I’ll be using the root certificate (root-ca) created in my previous post!

Generate the client key:


openssl genrsa -out "client.key" 4096

Generate CSR:


openssl req -new -key "client.key" -out "client.csr" -sha256 -subj '/CN=Local Test Client'

Configure the client certificate:

We need to create a file (client.cnf) and add the following content:

basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "Local Test Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

Sign the client…



Mert Ilis

I’m a software development enthusiast who likes trying different web technologies and adding value to his team.