Summary
To add a card to Apple Wallet a certificate is required. See the doc Apple Card signing for Apple Wallet for a step-by-step guide on how to acquire a certificate.
When you have the certifcate you must export it into .p12 format and then use openssl commands to generate .pem files. These files will be used by another openssl command to sign the manifest file for the .pkpass file.
I don’t know what a .pkpass file is?
The .pkpass file is a zip that contains a manifest.json file that defines the pass, along with all the other files needed to render the card in Apple Wallet.
The Apple docs provide more information on these files and their contents.
How to create the pem files
The following two commands extract the private key and the certificate from the .p12 file. You will be prompted for the .p12 password file. You set this password when exporting the certifcate from the Keychain Access app.
openssl pkcs12 -in Certificates.p12 -nocerts -out private_key.pem -nodes -legacy
openssl pkcs12 -in Certificates.p12 -clcerts -nokeys -legacy | openssl x509 -out certificate.pem
How to sign the manifest file
Prior to creating the .pkpass file the manifest.json file must be signed. The openssl smime command achieves this:
openssl smime -sign -binary -signer certificate.pem \
-inkey private_key.pem -outform DER -in manifest.json