Generating a CSR for S/MIME Certificates on macOS Using Keychain Access
Christopher LeeShare
macOS builds Certificate Signing Request (CSR) generation directly into Keychain Access, and using it for a Secure/Multipurpose Internet Mail Extensions (S/MIME) order has one elegant consequence. The Private Key is created inside your keychain and never exists as a file, so when the issued E-Mail Certificate arrives, a double click pairs the two and Apple Mail is ready to sign.
Generating the Request
Open Keychain Access, found in the Utilities folder, and from the menu bar choose Certificate Assistant followed by the option to request an SSL Certificate or E-Mail Certificate from a Certificate Authority (CA).
Enter the e-mail address the E-Mail Certificate will protect, exactly as you send from, and your name as the common name. Leave the CA address blank, choose the option to save the request to disk, and tick the choice to specify key pair information, selecting RSA at 2048 bits.
The assistant writes the request file to the chosen location and quietly creates the key pair in your login keychain, where the Private Key stays throughout. Submit the request file contents when placing your order, then complete the mailbox validation that confirms control of the address. Learn About S/MIME Mailbox Validated E-Mail Certificates 🔗
Installing the Issued E-Mail Certificate
Download the issued E-Mail Certificate from the tracking system once validation completes. View Our Tracking & SSL Management 🔗
Double click the downloaded file and Keychain Access imports it into the login keychain, matching it to the waiting Private Key automatically. Opening the entry afterward shows the pairing, with the E-Mail Certificate expandable to reveal its Private Key beneath it.
Install the Intermediate Certificates from the ca-bundle the same way, which lets recipients validate your signatures cleanly. Learn About Intermediate Certificates 🔗
Signing from Apple Mail
Quit and reopen Apple Mail, then compose a message from the matching address. A signature button appears beside the subject line, enabled by default, and an encryption button beside it activates per recipient as their public E-Mail Certificates become known through signed messages they send you.
Note : Mail matches the E-Mail Certificate to the sending address character for character. Sending from an alias, or from the same mailbox under a different address, leaves the buttons missing even though the keychain entry is perfect, and the fix is sending from the covered address.
Beyond the address rule, little goes wrong, and what does has clear signatures.
Troubleshooting
An imported E-Mail Certificate showing no Private Key beneath it landed in a different keychain than the one holding the key, or the request was regenerated between submission and issuance. Confirm the login keychain holds both, and complete a reissue against a fresh request when the original key is gone. Learn About Reissuing Your Certificate 🔗
Moving the completed identity to another Mac or a mobile device is an export rather than a re-download, selecting the entry in Keychain Access and exporting it as a password protected PKCS12 file. The configuration steps for Apple mobile devices are covered separately. Learn About S/MIME Configuration for iOS 🔗
