I can only guess you need to create a key, a signing request, and finally a certificate, in that order. The typical way to do that is with OpenSSL:
$ openssl genpkey ... -out <key-file>
$ openssl req -in <key-file> ... -out <sing-req-file>
$ openssl x509 -in <sign-req-file> ... -out <cert-file>
There are algorithm types of keys of which RSA and elliptic curves like prime-256 and prime-512, which are not ‘safe curves’. There is a webpage listing 'safe curves’. Implementation of safe curves is not common, but OpenSSH (not L but H) has Edward 25519. Note that the key file has both the public and private keys. A file with just the public key can be made and can be publicized freely, but not the file with the private key (really the key pair).
The best free documentation on using OpenSSL is OpenSSL Cookbook by Ivan Ristić. The instructions for acme-tiny are helpful as a use case using OpenSSL. I am not sure what your use case is. I have only gotten a domain certificate using the ACME protocol. I have never validated the client to the server. The server will need something to identify the client. The server might have a key with which to sign the client certificate. There must be some documentation out there to explain it for your use case. The Cookbook demonstrates how to issue a client certificate, but your use case could require adjustment. It’s a complex subject that is not so well documented. The PostgreSQL manual is awesome, which is why PostgreSQL is my favorite database.
You could just go with user-password and leave this for later?
Going by https://www.postgresql.org/docs/current/libpq-ssl.html, it looks to me like you want to read the Cookbook if you want to grind through this. Good luck!