Create your own SSL CA with the OS X Keychain

Vincent Danen explains how to use the Certificate Assistant that comes with Mac OS X to create your own CA with the help of the OS X Keychain Assistant.

Vincent Danen explains how to use the Certificate Assistant that comes with Mac OS X to create your own CA with the help of the OS X Keychain Assistant.


In a previous tip, we had looked at how to import SSL Certificate Authority certificates into the OS X keychain in order to easily trust SSL certificates for services that were not signed by big CA's like VeriSign or Equifax, amongst many others.

If you want to have SSL-based services in your internal organization or on your LAN, however, creating your own CA can be difficult to do or manage if you have never done it before. There are tools now to make it easier than it used to be: the OS X Keychain Assistant is one of these tools.

To begin, launch the OS X Keychain Assistant application. When opened, select Keychain Assistant from the menu bar, then select Certificate Assistant. From the next sub-menu that opens, select Create A Certificate Authority. This will open the Certificate Assistant and walk you through the steps to create your own Certificate Authority with which you can then sign SSL certificates.

Give your CA a name, and use Self Signed Root CA for the identity type. For User Certificate, leave the default as-is (S/MIME Email; this will get changed later). On the next page, change the validity period if you wish (default is one year), and select Create A CA Web Site. Next, fill in information used to create the certificate: City, State, Country, and so forth. The next screens detail key size and encryption type; leaving this at 2048-bit RSA is fine. Finally, on the Key Usage Extension pane, ensure that Signature, Certificate Signing, and CRL Signing are checked.

When you reach the Extended Key Usage Extension page, make sure Any is selected if you want this CA to be able to sign all types of SSL certificates. If it is only to sign specific types of SSL certificates (i.e., SSL clients only), then ensure that only those capabilities you want are checked. On the next page, you get to select the requested capabilities from users - also check Any here so that the CA may sign any type of requests. Finally, on the next page, make sure the settings Include Basic Constraints Extension and Use This Certificate as a certificate authority are both enabled.

There are other pages of the process that were not mentioned; it is safe to leave those at their defaults. The last pane will be asking where you want to store the location of the certificate and whether to trust certificates signed by this CA on the local machine. Select a keychain (system, login, or another you create specifically to handle the CA and its requests), and enable the trust check.

Now that the CA is created, you can now create certificates and signing requests using the Certificate Assistant as well. To quickly create a certificate for a Web site, click Create A Certificate in the Keychain Assistant pull-down menu. For the name, use the name of the Web site, and for the identity type, select Leaf. For the certificate type, select SSL Client. When asked to choose a CA issuer, select the CA you just created.

The key and certificate will be saved to the keychain you chose earlier and will be created with a default one-year expiry. Looking in the Keychain Assistant, you will see the certificate, and the RSA private key associated with it. Right-click on the private key, and you will see the option Request A Certificate From Certificate Authority; if you select this option, you will again open Certificate Assistant and will then be able to create a certificate request (Figure A). In the open window, use the Common Name field for the URL of the service (i.e., to create a SSL certificate for, use as the CN, or an email address for a S/MIME email certificate, etc.) and then save the request to disk. Figure A

In the Finder, double-click the .certSigningRequest file generated. Certificate Assistant will again open and allow you to sign the certificate with the CA just created. Select Let Me Override Defaults to further customize the certificate we will create (the way Certificate Assistant creates the request uses too many defaults to be useful, so you'll probably want to do this).

Many of the screens you then go through as a result will be similar to those when setting up the CA in the first place. Of primary interest is the Extended Key Usage Extension screen, which is where you can select what type of certificate this will be; for a HTTPS site use, for instance, SSL Server Authentication.

The Certificate Assistant asks a lot of questions, some of which may be unfamiliar. The help provided will assist you in making the right choices. For a basic LAN or internal network, using the Certificate Assistant can make using and creating SSL certificates easier. Other tools are available, but the Certificate Assistant comes with every Mac and may be easier for the uninitiated to use.