Create a Certificate Authority private key (this is your most important key):

$ openssl req -new -newkey rsa: -nodes -out ca.csr -keyout ca.key

Create your CA self-signed certificate:

$ openssl x509 -trustout -signkey ca.key -days  -req -in ca.csr -out ca.pem

Issue a client certificate by first generating the key, then request (or use one provided by external system) then sign the certificate using private key of your CA:

$ openssl genrsa -out client.key

$ openssl req -new -key client.key -out client.csr

$ openssl ca -in client.csr -out client.cer

(You may need to add some options as I am using these commands together with my openssl.conf file. You may need to setup your own .conf file first.)

Reference:

https://jamielinux.com/articles/2013/08/create-an-intermediate-certificate-authority/