These are some rough notes for deploying a test/dev local CA, a server key/cert, and a client key/cert. The intention is to provide a quick and dirty (don't use in production) local CA with one server and one client. HAProxy is used as an SSL terminator which forces SSL for all connections (via http redirect), then optionally accepts a client cert for authentication.
Follow the install guide for easy-rsa (https://github.com/OpenVPN/easy-rsa)
./easyrsa init-pki
./easyrsa build-ca