Knowledge Base
How to generate a CSR for SSL/TLS certificates on macOS using Keychain access
Overview
By the end of this guide, you will have generated a Certificate Signing Request (CSR) on macOS and a matching private key that you can submit to a Certificate Authority (CA) to obtain an SSL/TLS certificate. It covers the prerequisites, the Keychain Access method using Certificate Assistant, and the OpenSSL command-line method, and explains the fields a CSR requires, such as the Common Name (your server's Fully Qualified Domain Name, or FQDN). The OpenSSL method creates a 2048-bit RSA (Rivest-Shamir-Adleman) key pair.
Prerequisites
-
Access to Keychain Access (/Applications/Utilities/Keychain Access.app)
-
A macOS system with OpenSSL installed (for the command-line method)
-
Your server's Common Name, or Fully Qualified Domain Name (FQDN), as it should appear on the certificate
Method 1: Generate a CSR using Keychain Access
Open Keychain Access from /Applications/Utilities/Keychain Access.app.
Fig 1: Navigate to Keychain Access from the Applications > Utilities folder.
-
Fig 2: Search for and open Keychain Access on macOS.
In the menu bar, choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority. Fig 3: In the menu bar, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
Fig 4: In the menu bar, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
Enter the request details: your email address, the Common Name (CN) — your server's FQDN, and leave CA Email Address blank unless instructed. Set Request to "Saved to disk" and click Continue.
Fig 5: Enter the certificate request details, choose “Saved to disk,” and click Continue.
Choose a filename and location to save the CSR, click Show in Finder to locate it, then click Done. Fig 6: Choose a filename and location to save the CSR, then click Done.
-
Confirm the key pair: in Keychain Access, click All Items and search for your Common Name to verify the key pair was created.Fig 7: Verify that the private and public key pair has been created in Keychain Access.
Open the .certSigningRequest file in a text editor to view or copy its contents during certificate setup. Fig 8: Open the generated CSR file in a text editor to view or copy its contents.
Submit the CSR to Sectigo. Once the certificate is issued, import it into Keychain Access to complete the setup.
Method 2: Generate a CSR using OpenSSL
Open Terminal from Applications > Utilities > Terminal.
Generate a 2048-bit RSA private key and CSR:
openssl req -newkey rsa:2048 -keyout private.key -out server.csr -nodes
When prompted, enter the certificate details:
-
Country (C): two-letter country code (for example, US)
-
State or Province (ST): full state or province name
-
Locality (L): city
-
Organization (O): company name
-
Organizational Unit (OU): department (optional)
-
Common Name (CN): the domain name (for example, example.com)
-
Email Address: optional
-
Verify the CSR:
openssl req -text -noout -verify -in server.csr
This produces server.csr (submit it to the Certificate Authority) and private.key (keep it secure and never share it).
Important notes
-
Do not delete or lose the private key after submitting the CSR.
-
Install the issued certificate on the same system where the private key was generated.
-
For SSL/TLS certificates, the Common Name (CN) must exactly match the domain name.
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
