The creation of self-signed key pairs for clients differs only in terms of attributes for key usage from the generation of server certificates:
keytool –genkeypair \
-keyalg RSA –keysize 3072 –sigalg SHA256withRSA \
-validity 730 \
-ext KeyUsage:critical=digitalSignature \
-ext ExtendedKeyUsage:critical=clientAuth \
-storetype JKS –alias user01 –keystore user01.jks \
-dname “CN=WSUser01,O=T-Systems International,C=DE”
The extended key usage clientAuth must be set! The other parameters for this call correspond to the parameters for server certificates. For client certificates it does not make sense to set a DNS name or an IP address as the common name (CN) of the certificate.