Thanks for that. FWIW, the ziti cli supports building your own CA too... For my money, it's easier than running the openssl commands but doing it with openssl and understanding what it's doing is really valuable (just a longer path to take). The expressInstall makes a bunch on your behalf.
You can also run :
ziti pki create ca
or
cd ~
mkdir mypki
ziti pki create ca --pki-root=$(pwd)/mypki --ca-file "my-super-secret.ca" --ca-name "my-super-secr
et.ca"
now you have a folder:
ll ~/mypki/my-super-secret.ca/
total 36
drwxr-xr-x 5 ubuntu ubuntu 4096 May 2 11:47 ./
drwxrwxr-x 3 ubuntu ubuntu 4096 May 2 11:47 ../
drwxr-xr-x 2 ubuntu ubuntu 4096 May 2 11:47 certs/
-rw-rw-r-- 1 ubuntu ubuntu 3 May 2 11:47 crlnumber
drwx------ 2 ubuntu ubuntu 4096 May 2 11:47 crls/
-rw-rw-r-- 1 ubuntu ubuntu 138 May 2 11:47 index.txt
-rw-rw-r-- 1 ubuntu ubuntu 20 May 2 11:47 index.txt.attr
drwx------ 2 ubuntu ubuntu 4096 May 2 11:47 keys/
-rw-rw-r-- 1 ubuntu ubuntu 3 May 2 11:47 serial
All kinds of stuff in there to dig into... if you want. or you can be happy that someone in the ziti cli did it all for you already 
Then you can make a client cert with:
ziti pki create client --pki-root=$(pwd)/mypki --ca-name=my-super-secret.ca --client-name client
(make sure you use the FULL path to the pki-root as I show using $(pwd) (or the type the full path)
Here's mine:
find mypki/ -name "*client*"
mypki/my-super-secret.ca/certs/client.cert
mypki/my-super-secret.ca/keys/client.key
I'll carry this conversation to your other thread now, and probably refer to these commands when responding to your other post at: Creating Endpoint with your own Certificate Authority - #9 by markamind