Certificate management in MacOS environment

Creating a certificate signing request

If you are using macOS , you can generate a certificate request using the "openssl" command via a terminal.

1. For your convenience, we recommend that you create a new folder (such as "BAP certificate") on your desktop.

images/59e82774d3da398286c80890951e1f708f7a21f488107bda2c0ceeda92707211.png images/220d727ff38365f98cd16ebc22d5c48f9fe42769c51756007be7e10500ee027b.png

Picture 1. Creating a folder


2. Launch the "Terminal" app. This can be done by using the Command-Space bar and typing "terminal" in the search field:

images/f157c93b144bb17413ff16a69120cef2950285834e0ee41c72b84bfbf5f3c694.png

Picture 2. Terminal launching


OR by selecting "Go" → "Utilities" in the "Finder" menu:

images/7836bb95eb18182ff87d663cee0d3d93fccc49e247d958089bc8c32d3d98efc0.png images/518b7dcda27be393f6d45709bfb605533795318166bca9d3616b1df2bd2cabbf.png

Picture 3. Terminal launching


3. In the terminal, navigate to the "BAP certificate" directory you created by typing the command (press the "Enter" key to execute the command):

Command
cd Desktop/BAP\ certificate


4. Generate a certificate request using the "openssl" command:

Command
openssl req -out request.csr -utf8 -new -newkey rsa:2048 -nodes -keyout certificate.key -subj "/GN=Vardas/SN=Pavarde/CN=Vardas Pavarde" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "\n[SAN]\nsubjectAltName=email:el.pastas@pastas.lt"))

Note

The openssl command is a single line command, so copy it all at once.

5. Check available files:

Command
ls -l
Result
total 16
-rw-r--r--  1 Jonas  staff  1704 Sau 29 21:29 certificate.key
-rw-r--r--  1 Jonas  staff   915 Sau 29 21:29 request.csr


Certificate download and installation

1. If you have not used the BAP system before and do not have the possibility to log in via the Electronic Government Gateway, please send the prepared "request.csr" file by email to the customs office when requested. You will receive a reply with the sertifikatas.crt file, which you should save in the "BAP certificate" directory you created.

If you can log in to BAP using the authentication service provided by the Electronic Government Gateway, or if you have already used the BAP system in the past and you are able to login to it, click on the "+Add New" button in the "Profile" section, select the value "Certificate issued by the customs of the Republic of Lithuania - for connecting to customs portals and accessing customs system to system services." in the "Adding a new certificate" modal window, then click on the "Continue" button.

images/7a61b15dfb3d9afbc833d9b74430e10211987ab7c1789921302038b60d0d18f4.png

Picture 4. "Customs of Lithuania for authentication" selection


2. Bookmark the file "request.csr" in the "Generate Certificate" window and click on the "Generate Certificate" button.

images/0f5d00dbb639025dafab3ad72bbbd9ac1d7c7e4312ff2fb921125f945c56629f.png

Picture 5. Uploading the CSR file


3. Download the "sertifikatas.crt" file by clicking the "Download" button in the pop-up window or in the certificate data table. Move the downloaded file to the "BAP certificate" directory.

images/ba9fe987daa6bcc7d1a5c006d463b493f6616351b107bee9f3038902ec1e8e64.png

Picture 6. Downloading the CRT file

Note

The certificate can also be downloaded from the "Profile" certificate list by selecting the row of the certificate entry in the list and clicking the "Download" button. For more information see "Generating and adding a certificate after logging into the portal".


4. Catalogue content:

Command
ls -l
Result
total 24
-rw-r--r-- 1 Jonas staff 1704 Sau 29 21:29 certificate.key
-rw-r--r-- 1 Jonas staff 915 Sau 29 21:29 request.csr
-rw-r--r-- 1 Jonas staff 915 Sau 29 21:29 sertifikatas.crt


5. Generate a PFX file from the certificate and key files. Create a password that will protect the private key.

Command
openssl pkcs12 -export -out sertifikatas.pfx -inkey certificate.key -in sertifikatas.crt

images/dbeeafc5cf02beca1829ea6cbbc73aeb7c49a9e53a05dd1ca0daa1fa0a6a7ee3.png

Picture 7. Example of export


6. Check available files:

Command
ls -l
Result
total 32
-rw-r--r-- 1 Jonas staff 1704 Sau 29 21:29 certificate.key
-rw-r--r-- 1 Jonas staff 915 Sau 29 21:29 request.csr
-rw-r--r-- 1 Jonas staff 915 Sau 29 21:29 sertifikatas.crt
-rw-r--r-- 1 Jonas staff 915 Sau 29 21:29 sertifikatas.pfx

sertifikatas.pfx - a file that contains your certificate and its private key.


7. To import a certificate from the "Finder", select "Go" -> "Utilities" and start the "Keychain Access" application.

images/28529738e04407d336393e262118a13ef7b6cabf9bef6a40c1eac38eec7868fa.png

Picture 8. Importing a certificate on macOS


4. On the left side of the "Keychain Access" application, select "System".

images/13d2b5be5de164a9d0f4fc948aa07224473f8fbb8013a7a9a274bb426ecb3b77.png

Picture 9. "System" selection


5. From the "File" menu, select "Import Items…" function.

images/ee3e333bbcde183219aded36e753ef0a3694960452be9651b15f4af69564c84e.png

Picture 10. „Import Items...“ selection


6. Select the generated certificate.

images/e5872c8df7fda4bdbc712d133d7420b9d34d37bae8c5ca9b10219576291ca19f.png

Picture 11. Certificate selection


7. After selecting the certificate, the system will ask you to enter the administrator password, followed by the password of the generated certificate that was created in step 2.

images/70241c8ec09d4c6dcdab3ebd52be3e1924714adbe5c7e432d9cae84061e20111.png

Picture 12.

Once the certificate has been imported, a new Safari browser will allow you to log in to bap.lrmuitine.lt by selecting the certificate. The first time you log in, macOS System will ask you again for your administrator name and password. These will then be used to log in to the system.

Preparing the certificate to work on another computer

The PFX file, which was generated in step 2 of "Download and install the certificate", is required for work on another computer. Transfer this file to the new computer and continue with the steps described in the installation instructions below.