Skip to main content
Cisco Meraki Documentation

Creating a Public/Private Certificate Pair

A public/private certificate pair can be used to communicate securely between two entities. This guide will walk through the basics for generating a public/private certificate pair for safe & secure distribution. These steps can be used for the Escrow Recovery Key with macOS FileVault 2 encryption, for example, or in many other situations where you need a private/public certificate pair. 


The default bash shell in Terminal on macOS can be used to generate the certificates. Simply open on a macOS device, change directory (cd) into the desired location, and run the commands below. 


Generate the private.pem key:

openssl genrsa -out private.pem 2048

Generate the public.pem key:

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

Create a CSR (Certificate Signing Request) certificate.csr:

openssl req -new -key private.pem -out certificate.csr

If you intend on having your key signed by a CA (Certificate Authority) you can send this .csr file to the CA of choice. The CA will return a certificate which can use instead of the self-signed cert .crt (below).

Create a self-signed certificate.crt:

openssl x509 -req -days 3650 -in certificate.csr -signkey private.pem -out certificate.crt

This certificate.crt is a self-signed certificate which can be safely shared with others.

For use with FileVault Recovery Key Escrow payloads, convert the .crt file into a .der file. MacOS devices will reject .crt files "Error: The encryption certificate referenced by the FileVault Recovery Key Escrow payload is invalid or does not support encryption."

Convert a .crt into a .der using the following openssl command:

openssl x509 -outform der -in certificate.crt -out certificate.der