creating client certificates

Client certificate authentication in IIS (or most HTTPDs) is somewhat complicated. You have to map the users to the certificate. The certificates themselves can be issued by any CA that the server trusts; you can setup an AD CS instance to issue the certs, or even use a local copy of OpenSSL to create the certs if you wanted.

There's an article on IIS.net describing Client Certificate Mapping; with information about enabling it and programmatically associating certificates with users.

Edit:
The ultra-short version of issuing client certs with OpenSSL.

1. openssl genrsa -des3 -out my_ca.key 4096
2. openssl req -new -key my_ca.key -out my_ca.csr
3. openssl x509 -req -days 365 -in my_ca.csr -signkey my_ca.key -out my_ca.crt
   You now have a CA certificate and key.
4. For each of the client certificates you'll generate you need a Cert Signing Request. You can use the same cert for every user if you want, it's not a particularly good idea though and you should definitely require some other form of authentication as well (like a password). Either the clients can generate the CSRs themselves, or you can with openssl again (note that each CSR needs a private key first):
   openssl genrsa -des3 -out client1.key 1024
openssl req -new -key client1.key -out client1.csr
   

5. Edit your openssl.cnf file and fill in the relevant CA parts. They are:
   

   [ ca ]
   default_ca      = CA_default            # The default ca section
   
   [ CA_default ]
   dir            = ./                    # top dir
   database       = $dir/my_ca.index      # index file.
   new_certs_dir  = $dir/newcerts         # new certs dir
   certificate    = $dir/my_ca.crt        # The CA cert
   serial         = $dir/my_ca.srl        # serial no file
   private_key    = $dir/my_ca.key        # CA private key
   RANDFILE       = $dir/rand             # random number file
   default_days   = 365                   # how long to certify for
   default_crl_days= 30                   # how long before next CRL
   default_md     = md5                   # md to use
   policy         = policy_any            # default policy
   email_in_dn    = no                    # Don't add the email into cert DN
   name_opt       = ca_default            # Subject name display option
   cert_opt       = ca_default            # Certificate display option
   copy_extensions = none                 # Don't copy extensions from request
   
   [ policy_any ]
   countryName            = supplied
   stateOrProvinceName    = optional
   organizationName       = optional
   organizationalUnitName = optional
   commonName             = supplied
   emailAddress           = optional
   

6. Sign the key using the CA cert
   openssl ca -in client1.csr -out client1.crt

7. If you created the key and CSR for the client you'll need to export them. Export the certificate pair to a PKCS12 file so the client can import it.
   openssl pkcs12 -export -in client1.crt -inkey client1.key -out client1.p12
8. If you completed #7, send the client the PKCS12 file you created; otherwise send them the Certificate from #6.

Note that this is a poor way to issue signed certificates because it simply grants whatever type of certificate the CSR specified. Be sure to pay attention to what you're doing. If you're going to issue a lot of certificates you'll need to invest some time in a more secure setup.