A public/private certificate pair can be used to communicate securely between two entities. This guide will walk through the basics for generating a public/private certificate pair for safe & secure distribution. These steps can be used for the Escrow Recovery Key with macOS FileVault 2 encryption, for example, or in many other situations where you need a private/public certificate pair.
Set Up the Certificates
The default bash shell in Terminal on macOS can be used to generate the certificates. Simply open Terminal.app on a macOS device, change directory (cd) into the desired location, and run the commands below.
- Generate the private.pem key:
openssl genrsa -out private.pem 2048
- Generate the public.pem key:
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
- Create a CSR (Certificate Signing Request) certificate.csr:
openssl req -new -key private.pem -out certificate.csr
If you intend on having your key signed by a CA (Certificate Authority) you can send this .csr file to the CA of choice. The CA will return a certificate which can use instead of the self-signed cert .crt (below).
- Create a self-signed certificate.crt:
openssl x509 -req -days 3650 -in certificate.csr -signkey private.pem -out certificate.crt
This certificate.crt is a self-signed certificate which can be safely shared with others.