This tutorial shows you how to generate a CSR (Certificate Signing Request) on macOS. It covers the two methods that work on every current macOS version: the Keychain Access Certificate Assistant wizard (a built-in graphical tool, no extra software needed), and the openssl command line in Terminal. It also keeps the legacy macOS Server (Server.app) workflow for the few installations still running it on Monterey.
Important: Apple discontinued the macOS Server app on April 21, 2022. The final release, 5.12.2, runs only up to macOS Monterey and is not available for Ventura, Sonoma, Sequoia, or later. Most hosting services (web, mail, calendar, contacts, wiki, VPN, DHCP, DNS, and others) were already removed from Server.app in version 5.7.1 back in 2018, so even on Monterey the “Get a trusted certificate” wizard is the only certificate-related workflow still present. If you are on Ventura or newer, use the Keychain Access or OpenSSL method below.
Method 1: Generate the CSR with Keychain Access (current macOS)
If you have already generated your CSR with another tool, skip to installing the certificate on macOS.
Keychain Access ships with every version of macOS and includes a Certificate Assistant that produces a standard PKCS #10 CSR file (extension .certSigningRequest). The private key is created inside your login keychain at the same time, so it never leaves the Mac. This is the simplest method when you do not want to use the command line.
Step 1: Open Keychain Access
Open Keychain Access from Applications > Utilities, or press Cmd + Space and type Keychain Access in Spotlight.
On macOS Sequoia, Sonoma, and Ventura, Keychain Access is still present even though Apple’s newer Passwords app handles website passwords. Certificate Assistant lives only in Keychain Access, so this is the app to open.
Step 2: Open Certificate Assistant
In the menu bar, go to Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
Step 3: Fill in your details
The Certificate Assistant window asks for a few fields. Use only standard ASCII characters; non-Latin letters in the subject will be rejected by public CAs.
- User Email Address: a valid contact email address. Public CAs use this for issuance notifications.
- Common Name: the fully qualified domain name you want to secure, for example www.example.com. For a wildcard certificate, use the asterisk form, for example *.example.com.
- CA Email Address: leave blank. You will submit the CSR through your CA’s order form, not by email.
- Request is: select Saved to disk. Tick Let me specify key pair information so you can choose the key type and size on the next screen.
Click Continue. macOS prompts you for a save location; choose a folder you can find again later (for example the Desktop). The default filename is CertificateSigningRequest.certSigningRequest; you can rename it before saving.
Step 4: Choose the key pair
On the Key Pair Information screen, pick the key type and size you want the CA to bind to the certificate:
- Key Size: 2048 bits (the current minimum for public certificates) or 4096 bits for a larger RSA key. Older 1024-bit keys are rejected by every public CA, so do not pick them.
- Algorithm: RSA for maximum compatibility, or ECC for a modern elliptic-curve key (smaller and faster, with broad client support).
Click Continue. Certificate Assistant generates the key pair, stores the private key in your login keychain, writes the CSR to the file you chose, and shows a confirmation screen. Click Done.
The CSR is now ready to submit to your CA. You can open the .certSigningRequest file in TextEdit to view it; it begins with —–BEGIN CERTIFICATE REQUEST—– and ends with —–END CERTIFICATE REQUEST—–. Copy the entire block (including those header and footer lines) and paste it into the order form during your purchase.
Before submitting, you can decode the request to confirm the fields look right with our CSR Decoder.
Method 2: Generate the CSR with OpenSSL in Terminal
If you prefer the command line, or you need a Subject Alternative Name (SAN) list with several hostnames in one request, generate the CSR with the openssl tool in Terminal. Every modern macOS ships with the LibreSSL command in /usr/bin/openssl, which supports the same openssl req syntax used on Linux. If you prefer OpenSSL itself, install it with brew install openssl@3; the binary then lives at /opt/homebrew/opt/openssl@3/bin/openssl (Apple silicon) or /usr/local/opt/openssl@3/bin/openssl (Intel).
Step 1: Open Terminal
Open Terminal from Applications > Utilities, or press Cmd + Space and type Terminal. Move into a folder you can find again, for example a working directory on the Desktop:
mkdir -p ~/Desktop/csr
cd ~/Desktop/csr
Step 2: Generate the private key and CSR
Run the following command. It creates a new 2048-bit RSA key (yourdomain.key) and the matching CSR (yourdomain.csr) in one step, with the subject and Subject Alternative Names supplied inline so OpenSSL does not stop to ask questions:
openssl req -new -newkey rsa:2048 -nodes \
-keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=YourState/L=YourCity/O=YourCompany/CN=yourdomain.com" \
-addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"
What each part does:
- -newkey rsa:2048 generates a new 2048-bit RSA key. Use rsa:4096 for a larger key, or switch to ECDSA (see below).
- -nodes leaves the private key unencrypted, so your web server can read it at startup without a passphrase prompt.
- -keyout and -out name the private key and CSR files.
- -subj supplies the certificate subject. Put your real company name, state, and city here, not the placeholders. CN (Common Name) is your primary domain.
- -addext “subjectAltName=…” lists every hostname the certificate must cover. Public CAs validate against the SAN list, so always include the Common Name there too.
Replace yourdomain.com with your actual domain throughout. To cover extra hostnames, add them to the SAN list separated by commas, for example DNS:api.yourdomain.com. For a wildcard certificate, include both the wildcard and the bare domain: DNS:*.yourdomain.com,DNS:yourdomain.com. Use the official two-letter country code for the C field (for example US, GB, DE).
If you prefer an ECDSA key (smaller and faster, with P-256 widely supported), generate the key and CSR like this instead:
openssl req -new -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -nodes \
-keyout yourdomain.key \
-out yourdomain.csr \
-subj "/C=US/ST=YourState/L=YourCity/O=YourCompany/CN=yourdomain.com" \
-addext "subjectAltName=DNS:yourdomain.com,DNS:www.yourdomain.com"
If you would rather answer the prompts one field at a time, run the simpler form without -subj and -addext:
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
OpenSSL then asks for each field in turn:
- Country Name (2 letter code): your country’s ISO 3166-1 alpha-2 code, for example US.
- State or Province Name: the full name of your state or province, not an abbreviation.
- Locality Name: the city where your organization is registered.
- Organization Name: your full legal company name for OV and EV certificates. For DV certificates you can press Enter to skip it.
- Organizational Unit Name: deprecated by the CA/Browser Forum. Press Enter to leave it blank.
- Common Name: the fully qualified domain name you want to secure, for example www.yourdomain.com, or *.yourdomain.com for a wildcard.
- Email Address: a valid contact email, or press Enter to skip.
- When asked for a challenge password and an optional company name, press Enter to leave both blank. Public CAs ignore these fields.
Note that the prompt form does not let you add a SAN. If your certificate covers more than one hostname, use the inline -subj and -addext form above, or build the CSR with an OpenSSL config file.
Step 3: Verify and submit the CSR
Before sending the CSR to the CA, decode it locally to confirm the subject and SAN list match what you intended:
openssl req -noout -text -verify -in yourdomain.csr
Check that the Subject and X509v3 Subject Alternative Name lines are correct and that the signature check returns verify OK. You can also decode the CSR online with our CSR Decoder.
Open the .csr file in TextEdit (or print it with cat yourdomain.csr) and copy the entire block, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. Paste it into the order form during your purchase. Keep the matching yourdomain.key file safe on the same machine; it must never be sent to the CA or shared.
Method 3: Legacy macOS Server (Server.app on Monterey)
If you still run macOS Server 5.12.2 on Monterey, the built-in Get a trusted certificate wizard generates a CSR and stores the matching private key in the System Keychain. Server 5.12.x requires macOS Monterey (earlier versions such as 5.11 supported Big Sur). On Ventura and newer this app is not available; use the Keychain Access or OpenSSL method above instead.
Step 1: Launch macOS Server
Open Finder > Applications > Server.
Step 2: Select the target server
- This Mac (YourServerName): generates the CSR on the local machine. Enter your admin user name and password, then click Allow.
- Other Mac (YourServerName): generates the CSR on a remote Mac. Enter its host name or IP address and admin credentials, then click Allow.
Step 3: Start the CSR
- In the left pane under Server, select Certificates.
- Locate the existing self-signed certificate. It works for testing and private networks but is not trusted by public browsers.
- Click the + button at the bottom of the page and choose Get a trusted certificate, then click Next.
Step 4: Fill in the CSR details
- Host name (CN): the fully qualified domain name to secure, for example www.yoursite.com, or *.yoursite.com for a wildcard.
- Contact Email Address: a valid email.
- Organization (O): your full legal company name for OV and EV certificates. For DV certificates leave it blank.
- Organizational Unit (OU): deprecated by the CA/Browser Forum. Leave it blank.
- Town / City (L): the city where your organization is registered.
- State / Province (ST): the full name of your state or province.
- Country (C): select your country from the list.
Review your entries, click Next, then Save the CSR file to disk. The private key stays in the System Keychain and will be required during certificate installation.
Submit the CSR and what happens next
Submit the contents of the .csr file (or, from Server.app, the saved file) during your SSL certificate order. After the CA validates your request and issues the certificate, follow our guide on how to install an SSL certificate on macOS to import the certificate and configure your web server. DV certificates are typically issued within minutes; OV and EV certificates can take one to five business days.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


