On the server, generate the key and certificate
# openssl genrsa -des3 -out ca.key 4096
# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Remember to use something sensible like server or company name for the Common Name part, otherwise your keychain later could appear confusing.
Trust the certificate locally
# mkdir /usr/share/ca-certificates/extra
# cp ca.crt /usr/share/ca-certificates/extra
# dpkg-reconfigure ca-certificates
Create the CA Dir structure
# mkdir -p demoCA/newcerts
# touch demoCA/index.txt
# echo "00" >> demoCA/serial
# openssl genrsa -des3 -out client.key 4096
# openssl req -new -key client.key -out client.csr
This time use the clients full name for the Common Name part.
Send client.csr to the server not the key
# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
Copy ca.crt and client.crt back to the client machine, and install ca.crt to the keyring first. Create the p12 in order to import the client certificate
# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
In the nginx ssl site config, add the following lines (best just under other ssl config):
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
restart nginx, and your client browser. You should now be secured using client certificate authentication