In the software I used (as recently as last Thursday) the keys are _absolutely_, _positively_ generated locally. Subsequently the public key can be mailed automagically to RSADSI to be incorporated into a certificate which is returned to you. The latest version of RIPEM Mac uses the same procedure for the same functionality.
[...] users will get certified keys from RSA [...]
Yes! _After_ sending RSADSI an uncertified key.
[the user] can generate a key for use on their network
This is the uncertified key.
Apple believes you'll want publically certified keys
Thus, they provide a mechanism to get RSADSI to certify your (self generated) key. Scott Collins | "Few people realize what tremendous power there | is in one of these things." -- Willy Wonka ......................|................................................ BUSINESS. voice:408.862.0540 fax:974.6094 collins@newton.apple.com Apple Computer, Inc. 1 Infinite Loop, MS 301-2C Cupertino, CA 95014 ....................................................................... PERSONAL. voice/fax:408.257.1746 1024:669687 catalyst@netcom.com