After downloading my certificate from the apple developer portal, I successfully create a p12 file but whenever I try to create a platform application on aws, enter the certificate password, I just keep getting the error below.
There was an error reading the selected certificate. Verify the
password and try again.
I have tried with short and no passwords but nothing seems to accept the password.
Any ideas?
I was able to make this work, by doing the following:
Delete all old keys related to previous attempts in your Keychain > login (macos)
Request a new certificate from Request Certificate from Authority. Make sure no keys are selected when you execute this function.
I chose a single word in lowercase for Common name.
Add certificate to Apple Developer Portal
Download the CSR
Double click on the CSR to import the keys into your Keychain.
Your private key should have a dropdown with the certificate listed. My previous attempts did not have this. Export the p12.
The p12 worked in AWS SNS when entering the password, the public and private keys were extracted from the p12.
I am trying to integrate apple pay with braintree. I have followed up the following instructions to enable apple pay in the brain tree. In the first step, if you click on certificate signing request, it downloads a braintree_app_pay.certSigningRequest file which is used in the apple membership.
When I choose to create payment process certificate, I am getting the following error.
complimenting what #zepp said, you need to specify when creating CRS, and you can that by following the process below
Go to Keychain Access
Click on Certificate Assistance
Click on Request Certificate from Certificate Authority (click for image)
Enter all information and click on "Let me specify key pair Information"checkbox, then click on Continue
Select KeySize to be 256 and Algorithm to be ECC (click for image)
Then click on continue.
Full disclosure: I work at Braintree. If you have any further questions, feel free to contact our Support team.
Make sure you're selecting the Apple Pay Certificate option under Production (even if this is for a Sandbox; see the Braintree Apple Pay configuration docs for details) when choosing the type of certificate to add in the Apple Developer portal. Apple Pay CSRs should be generated with ECC, not RSA.
Here's what the CSR prompt screen should look like. Although you'll be uploading the CSR obtained from Braintree instead of generating one, note Apple's specifications for the key:
Please follow below steps[If use Apple Pay with stripe or any other payment gateway]:
Double click on CSR (Downloaded from Stripe), [It will open Certificate Assistant]
Click on Continue
Select 'Request a certificate from an existing CA', and Continue
In Certificate Information screen, Enter User Email Address, Common Name, Leave CA Email Address empty, Select 'Saved to disk & checked Let me specify key pair information' [Select your specific location and save]
In Key Pair Information screen, select 'ECC' algorithm & select Key size : 256 bits and continue.
Now use this CSR in your payment processing certificate.
This issue is not specific to Apple Pay or Braintree - I ran into the same issue when trying to create a CSR for getting a Safari certificate from Apple.
What's important to know is that you need to select the iCloud keychain before using the Request Certificate from Certificate Authority command. If you don't, another keychain may be active, causing wrong keys to be used.
From Apple Developer Forum
Within the Keychain Access drop down menu, select Keychain Access >
Certificate Assistant > Request a Certificate from a Certificate
Authority.
In the Certificate Information window, enter the following information:
In the User Email Address field, enter your email address.
In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
The CA Email Address field should be left empty.
In the "Request is" group, select the "Saved to disk" option.
Select "Let me specify key pair information".
Click Continue within Keychain Access and select the file location.
Set the Key Pair Information to the following:
Algorithm: ECC
Key Size: 256 bits Click
Continue within Keychain Access to complete the CSR generating process.
I don't get it, because it's said You must use the CSR we provide. Do not create a CSR file yourself on braintree website.
And with this CSR file, it's always failed on apple's upload page.
Edit:
I finally upload success with follow steps of #anjali-jariwala 's answer.
Just in last step, I choose RSA & 2048 as alert requirement.
For me I accidentally chose Yes when asked Will payments associated with this Merchant ID be processed exclusively in China?
Choosing No solved the issue for me
I had the same error. The mistake on my part was choosing the wrong type of certificate while creating it in the Apple developer portal. I used 'Apple Pay Merchant Identity Certificate', but I needed to use 'Apple Pay Payment Processing Certificate', which solved the issue.
For implementing push services for iOS Apps , we need to export push certificates from Keychain access as Certificates.p12 file and upload that to APN server. While exporting it asks for a password. What is the difference between a Certificate.p12 file exported with password and a blank password ? The cloud services like parse.com which supports push messages does not accept a .p12 file exported with a password. When We are coding our own APN server, should we use a .p12 file exported with password or without password ? For me, with a p12 file exported without password, I get "UnrecoverableKeyException: Get Key failed" error.
Thanks in advance for your help.
Answer is simple, Will explain with an example.
Consider your p12 file as a ATM Card (Debit/Credit card) and think if you don't have passwords for that, what happens if someone get your card ?
Same here, if you won't password protect that p12, anyone who have that p12 file can send push notifications (malicious) to your apps, using that p12 file.
The p12 file is an encrypted container for your X.509 Push Notification Certificate and it's corresponding Private Key. Because nobody should be able to use your certificate/private key for malicious purposes, it is strongly recommended that you protect your p12 file with a password. Else anybody who gets your p12 file will be able to communicate with Apple's Push Servers using your Developer Identity (which is defined by the certificate).
When creating ad hoc provisional profile, it asks for Certificate Signing Request.
It seems it would yet create a new set of public/private key pair? Can I use an existing one?
Below is the instruction given. The step I have in question is "create a name for your private key". I already have two key pairs I wish to use existing ones.
To manually generate a Certificate, you need a Certificate Signing
Request (CSR) file from your Mac. To create a CSR file, follow the
instructions below to create one using Keychain Access. Create a CSR
file.
In the Applications folder on your Mac, open the Utilities folder and
launch Keychain Access.
Within the Keychain Access drop down menu, select Keychain Access >
Certificate Assistant > Request a Certificate from a Certificate
Authority.
In the Certificate Information window, enter the following information:
In the User Email Address field, enter your email address.
In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
The CA Email Address field should be left empty.
In the "Request is" group, select the "Saved to disk" option.
Click Continue within Keychain Access to complete the CSR generating process.
You don't need to create Separate Certificate Signing Request (CSR) each time. You can use the same CSR as many time as you can. No problem on using same CSR each time. i use same CSR for creating certificates.
But you have to create at least one time
I'm configuring stuff on the provisioning portal for a new app which will use APNS.
When I went to configure the App Id for pushes the web site popped up a dialog saying I had to use Keychain Access and request a certificate from a CA.
However this is a step I've already been through with a previous app, therefore is there any need to do so again? If there's no need, is it still a good idea, and if so why?
If there's no need to generate a CSR again, then I no longer have the CSR file from previously, so is there anyway to recover it?
Certificates belong to hostnames.
If the hostname is the same, yes you can.
If it is a subdomain, and the certificate is a wildcard, yes you can.
If the hostname is different, you can generate a new csr and apply for your new certificate.