Here are example commands for generating your own Certificate Authority, and signing your own keys to distribute to end users.

{{{
openssl req -newkey rsa:512 -nodes -out ca.csr -keyout ca.key
}}}
Fill in the questions.  Use relevant data, but this information is only for you.
{{{
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Dallas
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CrushFTP
Organizational Unit Name (eg, section) []:Development
Common Name (eg, YOUR name) []:www.domain.com
Email Address []:ben@crushftp.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
}}}
Now we get our private key for signing.
{{{
openssl x509 -req -trustout -signkey ca.key -days 365 -req -in ca.csr -out ca.pem
echo "02" > ca.srl
}}}
And finally, we import the public key for our signing into our trust store so we can validate all signed keys user's submit.  This files name "crush.keystore_trust" is specific.  It must be in the same folder as the real keystore file for the server port, and must have the exact same name and password, except its name ends with "_trust".  So in this case we expect to have a keystore named "crush.keystore".
{{{
keytool -import -alias crushftp_ca -keystore crush.keystore_trust -trustcacerts -file ca.pem -storepass password
}}}

Now from here on, we just generate new signed certs for your clients.  The key part is to set their username to be "NOLOGIN_myuser" if you want to force them to still enter a user/pass.  Otherwise if you set their common name to a valid username, they will be able to login without a user/pass.
{{{
openssl req -newkey rsa:512 -nodes -out myuser.req -keyout myuser.key

openssl x509 -CA ca.pem -CAkey ca.key -CAserial ca.srl -req -in myuser.req -out myuser.pem -days 365
openssl pkcs12 -export -clcerts -in myuser.pem -inkey myuser.key -out myuser.p12 -name "myuser_certificate"
}}}