How to Create a Client Certificate with Configuration using OpenSSL

Mert Ilis
2 min readDec 3, 2020

In my previous post ( I’ve talked about creating a root CA certificate and a server certificate with extensions configuration. Now, I’ll continue with creating a client certificate that can be used for the mutual SSL connections.

In the following commands, I’ll be using the root certificate (root-ca) created in my previous post!

Generate the client key:


openssl genrsa -out "client.key" 4096

Generate CSR:


openssl req -new -key "client.key" -out "client.csr" -sha256 -subj '/CN=Local Test Client'

Configure the client certificate:

We need to create a file (client.cnf) and add the following content:

basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "Local Test Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection

Sign the client certificate:


openssl x509 -req -days 750 -in "client.csr" -sha256 -CA "root-ca.crt" -CAkey "r
oot-ca.key" -CAcreateserial -out "client.crt" -extfile "client.cnf" -extensions client

Combine the root certificate, client key and client certificate:


cat client.key client.crt root-ca.crt > client.pem

Create a Pkcs12 file:


openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile root-ca.crt

Import client.pfx to Windows Certificate Store:

If you are a Windows user, you should add the client certificate with its key to the personal certificates of the current windows user. Otherwise, during the…



Mert Ilis

I’m a software development enthusiast who likes trying different web technologies and adding value to his team.