How to Generate Your Secure Email Certificate
This guide will help you generate a Certificate Signing Request using Keychain on MacOS.
Before you proceed, it is highly recommended that you instead use the browser-based certificate generation method which does not require any CSR. Using any browser to generate and collect the certificate will make the installation process much easier.
Use these guides instead if you can use browser-based generation:
If you are required to generate your certificate request in Keychain and cannot use browser-based certificate generation, follow the steps below.
Generating the Request in Keychain
Under Keychain Access menu, find Certificate Assistant menu and select Request a Certificate From a Certificate Authority.
Enter the common name and email address in the Certificate Assistant window. For S/MIME and CPAC certificates, the Common Name must be the user’s email address.
Do not input CA Email Address, instead select Saved to Disk to designate a location on your Mac for the CSR text file to be saved.
Use Finder to locate the CSR file that was saved and right-click to open with TextEdit. You will copy and paste all the text from this file including —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– into the CSR field on the CertificateGeneration order form.
There is no further action needed in Certificate Assistant from this point, so if there are further options, you can simply exist the Assistant window.
Where Is the Private Key?
To locate the private key in Keychain, search the CSR common name in All Items in the Login keychain. There should be a public key (the CSR) and a private key matching the common name you entered when generating the CSR.
Make sure to never share or delete this private key, as you will need this file when you are ready to finalize and export your certificate.
Next Steps
After you submit your order, you may be required to complete validation before the certificate is issued.
When the certificate is issued, you can download it and import it into Keychain to finish the installation.
You may also need to import an Intermediate CA certificate for the secure email certificate to be trusted in Keychain. If the intermediate certificate is not included in your certificate download folder, you can obtain the correct file from your Certificate Authority on the links below:
DigiCert Intermediate and Root Certificates
- Go to May 2022: New Intermediate CA Certificates and download DER/CRT named DigiCert Assured G2 SMIME RSA4096 SHA384 2024 CA 1
Sectigo/Comodo Intermediate and Root Certificates
- Go to Secure Email and download Sectigo RSA Client Authentication and Secure Email CA