Apple OS X 10.6 - Code signing - Creating a certificate

In this article, we describe the actions neccessary to generate a self-signed Code Signing certificate under Apple OS X 10.6 (Snow Leopard); this certificate can then be used for testing purposes, and can later be certified by a certificate authority once the code is deemed mature enough for public distribution. Links to these procedures can be found at the bottom of this article.

The best way to generate a private key and CSR for code signing is by use of Keychain Access, the OSX program specially designed to manage certificates and passwords. Note that this is somewhat different from most scenario's, where the certificate generation is managed through the browser. Also, we have experienced occasional problems when using Safari to request a Code Signing Certificate. To ensure successful import we advise you to adhere to using Keychain Access.

To create a self-signed certificate authority:

  1. Press Apple-Space; this opens Spotlight. Type (the first few letters of) Keychain Access in the search field and press Enter. (Alternately, open Finder, navigate to Applications -> Utilities and open Keychain Access)
  2. In Keychain Access, go to the Keychain Access menu and navigate to Certificate Assistant, then click Create a Certificate Authority… . This opens the Certificate Assistant in a new window.
  3. In the Certificate Assistant screen, enter the following information / options:
    Name: the name of your company (or company department responsible for software development)
    Identity Type: Self Signed Root CA
    User Certificate: Code Signing
    Put a check next to Let me override defaults
    Ensure Make this CA the default is checked
    Email From: insert your e-mail address (the one you wish to use to correspond with both us and customers with questions) here

    Next, click Continue.
  4. In this screen, add the following information:
    Serial Number: choose any number you like, only make sure it's unique and lies between 1 and 2147483647.
    Validity Period: leave it at 365. This will automatically be altered to fit the actual duration later.
    Remove the checkmarks next to Create a CA web site: and Sign your invitation.

    Click Continue.
  5. This is the Certificate Information screen. Here please provide the following information:
    Email address: enter the e-mail address you wish to correspond with
    Name (Common Name): Name of your organisation or company
    Organization:  Name of your organisation
    Organizational Unit: Name of your department, business unit
    City (Locality): City or town where your organization is located
    State/Province: State or province where your organization is located
    Country: Country where your organization is located
  6. Next, press Continue 12 times (you may leave the default settings in all the subsequent screens).
  7. Finally, close the window.

If all has gone well, you will now be able to find your self-signed certificate pair listed under login / All Items in Keychain Access with the name you entered in the Name (Common Name) field in step 5. There should be three entries: the private key, the public key and the certificate (visible under the Kind column). (Note that the certificate will have a small red X through it, indicating "this root certificate is not trusted"; this is correct as it has not yet been signed by a Certificate Authority). That process is described in the links below.



Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up