These steps can be used to generate a private key and CSR which can be signed by the Cloudflare CA for mTLS connections from clients.
For security, these steps should be done from a temporary directory (eg. a RAM file system).
Generate the private key:
openssl ecparam -name prime256v1 -genkey -noout -out key.pem
Optionally, export the public key:
openssl ec -in key.pem -pubout -out pubkey.pem
Crate the CSR:
openssl req -new -key key.pem -out csr.pem
The CSR (csr.pem) can then be signed from the Cloudflare client certificates page.
With the signed certificate, it can then be exported into a pfx file (eg. for use with web browsers or mobile devices):
openssl pkcs12 -export -out certificate.pfx -in certificate.pem -inkey key.pem