A public/private certificate pair can be used to communicate securely between two entities. This guide will walk through the basics for generating a public/private certificate pair for safe & secure distribution. These steps can be used for the Escrow Recovery Key with macOS FileVault 2 encryption, for example, or in many other situations where you need a private/public certificate pair.
The default bash shell in Terminal on macOS can be used to generate the certificates. Simply open Terminal.app on a macOS device, change directory (cd) into the desired location, and run the commands below.
Generate the private.pem key:
openssl genrsa -out private.pem 2048
Generate the public.pem key:
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
Create a CSR (Certificate Signing Request) certificate.csr:
openssl req -new -key private.pem -out certificate.csr
If you intend on having your key signed by a CA (Certificate Authority) you can send this .csr file to the CA of choice. The CA will return a certificate which can use instead of the self-signed cert .crt (below).
Create a self-signed certificate.crt:
openssl x509 -req -days 3650 -in certificate.csr -signkey private.pem -out certificate.crt
This certificate.crt is a self-signed certificate which can be safely shared with others.
For use with FileVault Recovery Key Escrow payloads, convert the .crt file into a .der file. MacOS devices will reject .crt files "Error: The encryption certificate referenced by the FileVault Recovery Key Escrow payload is invalid or does not support encryption."
Convert a .crt into a .der using the following openssl command:
openssl x509 -outform der -in certificate.crt -out certificate.der