Public/Private Key Certificate - Mac OS X 10.7.4 (Lion)

To create the simplest possible Certificate (with a public/private keypair):
  1. Utilities → Keychain Access
    1. Keychain Access → Certificate Assistant → Create A Certificate...

      1. Name:   FooDisk
        Identity Type:   Self Signed Root
        Certificate Type:   Code Signing
        ✓ Let me override defaults
        <Continue>
      2. Serial Number:   1
        Validity Period (days):   7300
        <Continue>
      3. Email Address:   none
          N.B., This avoids the situation where the Mail program will use this Certificate to sign or encrypt e-mail messages.
          Since the Certificate is self-signed, it will have no validity with recipients, and therefore is useless for any purpose relating to Mail.

        Name (Common Name):   <same as in the first step>
        <Continue>
      4. Key Size:   2048 bits
        Algorithm:   RSA
        <Continue>
      5. ✓ Include Key Usage Extension
        ✓ This extension is critical
        Signature (uncheck, along with all others except Data Encipherment)
        ✓ Data Encipherment
        <Continue>
      6. Include Extended Key Usage Extension (uncheck)
        <Continue>
      7. Include Basic Constraints Extension (uncheck)
        <Continue>
      8. Include Subject Alternate Name Extension (uncheck)
        <Continue>
      9. Keychain:   login
        <Create>

    2. Click on the newly created Certificate in the Keychain Access window.
        Click on the triangle to expand the Certificate.
         Click on the private key.
          Get Info (either by right-clicking on the private key, or type command-I).
           Select Access Control at the top of the window that pops up.
            Delete all applications by highlighting each application name, and then click the minus (-) button.
            Activate the "Confirm before allowing access" option.
             ✓ Ask for Keychain password (This will require you to enter your login Keychain password each time your private key is accessed.)
              <Save Changes>
            Close the Information window.
      Note that the last step may have to be repeated after Quitting out of Keychain Access and re-opening it a second time.

To find the public key (40 digits, in hex) for this certificate:
  1. % security find-certificate -c "FooDisk" | \
        grep hpky | awk '{print $1;}' | sed 's/^.*x//'
    
    The output of the command will look like the following (a 40 digit hex string):
    70CAF2CD1EC2F631294B32428B27FC16D12B9546
    
Thie key can be used to create an encrypted disk image using the procedure described here.
Last Updated: 2012 July 25, Wednesday, 19:21:18 PDT (UTC-0700)