I had to renew some certificates and saw this note below the “Download” button of the certificate page:
Download your certificate to your Mac, then double click the .cer file to install in Keychain Access. Make sure to save a backup copy of your private and public keys somewhere secure.
The last sentence intrigues me, since I’ve had troubles with missing private keys, sometimes, and that looks like a good hint.
But… I’ve done the usual steps of generating a .certSigningRequest file and renewed my certificates; however, at no time I can recall having created a public or private key. What should I back up? The .certSigningRequest file or the downloaded certificates (or something else)?
You can export public and private keys in the Keychain Access app. When exporting a key, a password will be asked. This is used to install that key later on. So it is pretty save I guess to store that key anywhere you want.
It’s very important that when you export the key, you choose the .p12 option. If you don’t, or it’s not available, you are not saving the private key. If the extension you choose is .cer, you’re only getting the public key.
Thanks for your answer.
I now get that it’s not sufficient to keep existing files; a manual export must be explicitly done after importing the certificates. Is it then OK to delete the previous files (.certSigningRequest and .cer)?
I’m asking because of this:
.certSigningRequest: I’m wondering if one could keep a single certSigningRequest file around for several years and create certificates with it (reuse it). It’d simplify the task.
.cer: I assume it’s safe to delete those files after they have been imported, because, as I understand it, their data is duplicated inside the keychain, but still worth asking whether it’s correct.