Here are the commands I used to do this:
##################################################################
openssl req -newkey rsa:512 -nodes -out ca.csr -keyout ca.key

openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
echo "02" > ca.srl
keytool -genkey -alias crushftp -keyalg RSA -keysize 512 -keystore crush.keystore -storepass password

keytool -certreq -keyalg RSA -alias crushftp -file crushftp.csr -keystore crush.keystore -storepass password
openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in crushftp.csr -out crushftp.crt -days 365
keytool -import -alias crushftp_ca -keystore crush.keystore -trustcacerts -file ca.pem -storepass password

keytool -import -alias crushftp -keystore crush.keystore -file crushftp.crt -storepass password

keytool -import -alias crushftp_ca -keystore crush.keystore_trust -trustcacerts -file ca.pem -storepass password

openssl req -newkey rsa:512 -nodes -out myuser.req -keyout myuser.key

openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in myuser.req -out myuser.pem -days 365
openssl pkcs12 -export -clcerts -in myuser.pem -inkey myuser.key -out myuser.p12 -name "myuser_certificate"
##################################################################

Now from here on, I just generate new signed certs for my clients: (making sure I give them valid common names that match usernames in CrushFTP.)

openssl req -newkey rsa:512 -nodes -out myuser.req -keyout myuser.key

openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in myuser.req -out myuser.pem -days 365
openssl pkcs12 -export -clcerts -in myuser.pem -inkey myuser.key -out myuser.p12 -name "myuser_certificate"

I will probably implement this for FTP too......but there is only one client that current can do it.