How to generate a key pair on Mac OS X

In this tutorial, you will learn how to generate a key pair on a Mac OS X system.  The key pair generated here is used for testing purposes only and is self-signed.  The public certificate generated can then be used for testing SSL Mutual Authentication from a browser to Forum Sentry.

In Mac OS X, key pair generation, storage and management is handled by the Keychain Access application.  You can start the application by going to Applications –> Utilities –> Keychain Access.
Mac-OSX-Keychain-AccessThe Keychain Access interface is shown above.  You will use this interface to create a key pair and a self-signed certificate with a couple of default options that we will change along the way.  In the Menu, navigate to Keychain Access –> Certificate Assistant –> Create a Certificate.

Mac-OSX-Keychain-Access-Override-DefaultsThe Certificate Assistant will then walk you through creating a certificate.  As shown in the screen above, enter testuser1 for your Name and select Self Signed Root and SSL Client for the Identity type and Certificate type respectively.  Also enable checkbox Let me override defaults.  Use defaults as you walk through the Certificate Assistant unless otherwise instructed.

Mac-OSX-Keychain-Access-Certificate InformationAs shown above, add personal information for the certificate, including Email Address, Organization, Organization Unit, City, State, and Country. Continue walking through the assistant till you get to the Basic Constrain Extension screen shown below.


Check Include Basic Constraint Extension and Use this certificate as a certificate authority check box as shown in the screen above.  This step is essential when we import the self-signed certificate into Forum Sentry.  The self-signed certificate is used a root certificate in a Signer Group used for validating the client certificate that is presented during SSL Mutual authentication.  This extension will not be enabled for a production systems where known Certificate Authority root certificates are used for certificate chain validation.  The Default Signer Group in Forum Sentry API gateway contains most commercial CA roots.

Next, right click on the certificate and export it to your desktop.  You can then import it into Forum Sentry for enabling SSL Mutual Authentication between your browser and Forum Sentry.