Skip to main content
Cisco Meraki

Creating a Public/Private Certificate Pair

A public/private certificate pair can be used to communicate securely between two entities. This guide will walk through the basics for generating a public/private certificate pair for safe & secure distribution. These steps can be used for the Escrow Recovery Key with macOS FileVault 2 encryption, for example, or in many other situations where you need a private/public certificate pair. 


The default bash shell in Terminal on macOS can be used to generate the certificates. Simply open on a macOS device, change directory (cd) into the desired location, and run the commands below. 


  1. Generate the private.pem key:

    openssl genrsa -out private.pem 2048

  2. Generate the public.pem key:

    openssl rsa -in private.pem -outform PEM -pubout -out public.pem

  3. Create a CSR (Certificate Signing Request) certificate.csr:

    openssl req -new -key private.pem -out certificate.csr

    If you intend on having your key signed by a CA (Certificate Authority) you can send this .csr file to the CA of choice. The CA will return a certificate which can use instead of the self-signed cert .crt (below). 

  4. Create a self-signed certificate.crt:

    openssl x509 -req -days 3650 -in certificate.csr -signkey private.pem -out certificate.crt

    This certificate.crt is a self-signed certificate which can be safely shared with others.