Public/Private Key Certificate - Mac OS X 10.7.4 (Lion)

To create the simplest possible Certificate (with a public/private keypair):
  1. Utilities → Keychain Access
    1. Keychain Access → Certificate Assistant → Create A Certificate...

      1. Name:   FooDisk
        Identity Type:   Self Signed Root
        Certificate Type:   Code Signing
        ✓ Let me override defaults
      2. Serial Number:   1
        Validity Period (days):   7300
      3. Email Address:   none
          N.B., This avoids the situation where the Mail program will use this Certificate to sign or encrypt e-mail messages.
          Since the Certificate is self-signed, it will have no validity with recipients, and therefore is useless for any purpose relating to Mail.

        Name (Common Name):   <same as in the first step>
      4. Key Size:   2048 bits
        Algorithm:   RSA
      5. ✓ Include Key Usage Extension
        ✓ This extension is critical
        Signature (uncheck, along with all others except Data Encipherment)
        ✓ Data Encipherment
      6. Include Extended Key Usage Extension (uncheck)
      7. Include Basic Constraints Extension (uncheck)
      8. Include Subject Alternate Name Extension (uncheck)
      9. Keychain:   login

    2. Click on the newly created Certificate in the Keychain Access window.
        Click on the triangle to expand the Certificate.
         Click on the private key.
          Get Info (either by right-clicking on the private key, or type command-I).
           Select Access Control at the top of the window that pops up.
            Delete all applications by highlighting each application name, and then click the minus (-) button.
            Activate the "Confirm before allowing access" option.
             ✓ Ask for Keychain password (This will require you to enter your login Keychain password each time your private key is accessed.)
              <Save Changes>
            Close the Information window.
      Note that the last step may have to be repeated after Quitting out of Keychain Access and re-opening it a second time.

To find the public key (40 digits, in hex) for this certificate:
  1. % security find-certificate -c "FooDisk" | \
        grep hpky | awk '{print $1;}' | sed 's/^.*x//'
    The output of the command will look like the following (a 40 digit hex string):
Thie key can be used to create an encrypted disk image using the procedure described here.
Last Updated: 2012 July 25, Wednesday, 19:21:18 PDT (UTC-0700)