If you have a domain, you could get a valid tls certificate from let’s encrypt via a dns challenge. Such certificates should work on the client right away.
Otherwise, this thread seem to cover what you are intending to do: Unable to use TLS client certificate