View in English

Create certificates

Create a certificate signing request

Keychain Access on your Mac allows you to create a certificate signing request (CSR).

  1. Launch Keychain Access located in /Applications/Utilities.

  2. Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.

  3. In the Certificate Assistant dialog, enter an email address in the User Email Address field.

  4. In the Common Name field, enter a name for the key (for example, Gita Kumar Dev Key).

  5. Leave the CA Email Address field empty.

  6. Choose “Saved to disk,” then click Continue.

CSR generation for Apple Pay Payment Processing certificate

When creating an Apple Pay Payment Processing certificate, you must specify the Key Pair information. Select ECC and 256 bit key pair. When creating ECC key pairs with command line tools such as OpenSSL, specify prime256v1 as the ecparameter. Apple Pay Payment Processing certificates for China mainland don’t require you to specify a key pair.

If you’re working with a payment provider, contact them to obtain a properly formatted CSR to upload and create your certificate.

CSR Generation for App License Delivery (ALD) certificates

When creating ALD encryption and signing certificates, you must specify the Key Pair information. Use the command line, such as the Terminal app, to generate your keys and CSRs on your Mac. A unique CSR is required for each certificate. Example commands to create the required RSA 3072 cryptography assets are listed below. Replace any personal information with your own.

openssl genrsa -out ALDencryption.key 3072

openssl req -new -key ALDencryption.key -out csr3072ALDEncrypt.certSigningRequest -subj "/emailAddress=example@example.com, CN=Example Name, C=IE"

openssl genrsa -out ALDsigning.key 3072

openssl req -new -key ALDsigning.key -out csr3072ALDSigning.certSigningRequest -subj "/emailAddress=example@example.com, CN=Example Name, C=IE"

Note: If you get an error about the above commands to generate a CSR, confirm the expected " format is used and you haven’t already generated a key or CSR with the same name.