I'm attempting to follow these instructions to set up my S3 API to send push notifications to my iOS app.
I'm making a mess of the certificate issues, so I was hoping someone could help sort me through them.
So far, I've created a CSR, uploaded it to Apple Dev portal, and downloaded a .cer file. I then converted the cer into a pem
openssl x509 -in apns-dev.cer -inform DER -out apns-dev.pem
Then I ran into the instruction to "Open Keychain Access, select Keys, and then highlight your app private key." Not knowing what my "app private key" was, I've tried a couple things:
Grabbing the preexisting private-key file in the app's cert folder (an RSA private key which was not, to my knowledge, used to generate the above CSR).
Exporting my default system private key as a p12 and then converting it, per AWS instructions, into a pem key.
Trying to generate a new CSR directly from my system private key in Keychain Access
However, whenever I follow the instructions to "test" the private/public key pair (openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev.pem -key apns-private.pem), I get this:
error setting private key
41047:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/x509/x509_cmp.c:406:
I've looked at the following questions, but haven't been able to use their answers to figure this out:
Does the apple push notification distribution certificate signing request need to be the same as that used for the distribution cert to sign the app? - When I try to "expand" the cert in Keychain Access, all I see is info. There is no private key info, and I can't "Export 2 items"
Apple Push Notification error setting private key (the self-given answer here conflicts with the above, and at any rate, I no longer have the original CSR)
Unable to load client certificate private key file - My private key file isn't empty, and I did enter the passphrase correctly
Any idea what could be going on? I'm just shooting in the dark here.
Don't use Apple's instructions to generate the CSR.
Generate key:
openssl genrsa -out $app.key 2048
Generate CSR:
openssl req -new -key $app.key -out $app.csr
And enter the relevant data.
Upload CSR to Apple. Download certificate.
Convert certificate to PEM:
openssl x509 -inform DER -in $app.cer -out $app.pem
Now you have the key in $app.key, and a PEM-encoded certificate in $app.pem. You can then install both on the box that will be connecting to APNS (depending on the software you use, they might be separate files, or you may just append the key to the certificate file).
Related
I'm working on a project for a client. I have two .cer files (developer and distribution) both are loaded into Keystore Access on Mac OS X. However I'm unable to export as a .p12 file.
Alternatively I tried OpenSSL but still no luck...
openssl pkcs12 -export -in followMe_ios_development.cer -out followMe_ios_development.p12 -clcerts -nokeys
How can I export this .cer file as a .p12 so I can compile this app for iOS?
What works for me dealing with Push Notification certifies has been:
Open the certificate: open my_filename.cer and click "View Certificates" to see the certificate's name
Go to Applications -> Utilities -> Keychain Access
Ensure you have selected the "login" keychain, not the "system" one (thanks to #Matt Flettcher )
Go to "Certificates"
Look for the desired certificate
Ensure that you can expand it and see under it the original ".certSigningRequest" used to generate the certificate
At this moment you should be able to export it as ".p12"
try this:
given you have files as follow:
aps.cer, downloaded from Apple.
app.key, your own private key generated by openssl.
1st, convert the .cer file into .pem format:
openssl x509 -in aps.cer -inform DER -out aps.pem -outform PEM
2nd, use the .pem file and your private .key to generate .p12 file:
openssl pkcs12 -export -out aps.p12 -inkey app.key -in aps.pem
this should prompt to ask a password for this .p12 file.
CF:
aps_developer_identity.cer to p12 without having to export from Key Chain?
Creating a .p12 file
I had the same problem. .p12 Export was not available, only .p7b
I solved it very easily:
You donĀ“t select your certificate via the "certificates" directory on the lower left, but via the "My Certificates" directory.
Like this, an arrow should show up left of your certificate.
Click it, and you will see your private Key.
Right-Click on your private Key and select the "export Key" option. Now you can create a .p12 Certificate File, just as the doctor ordered.
Good Luck!
You should select both cert and private key. Then you will able to export certs with p12 extension.
In my case I'm trying to create a pfx/PKCS12 file and have tried the given commands and ran through couple of issues out of which one was : Unable to load certificate even I'm doing right. So then tried with the below one command instead of few others:
openssl pkcs12 -export -out requiredPFXfile.pfx -inkey yourPrivateKey.key -in yourcertificate.cer
Please find link for more details :-
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
I'm newbie to SSL & certs stuff & can't judge on other answers,appreciate everyone's work here!!
In my case the abilty to export in p12 format depends on certificate type. For "Apple Distribution" certificate type it is disabled, right like in your case.
When I created new certificate with type "IOS Distribution (App Store and Ad Hoc)" and processed it right like previous one, the p12 format became available in export dialog.
I'm trying to generate a new push notifications certificate on my IIS.
In the past I used to go to IIS mamager --> Server Certificates then select "Create Certificate Request", fill out the details and it generated a txt file which I uploaded to apple to generate and download the cer file.
My problem is that for some reason I can't upload this text file. I get this message:
Invalid CSR
Select a valid Certificate Signing Request
anyone encountered this issue?
Finally got it working.
This is what I did:
In IIS using Cygwin:
Generate private key:
openssl genrsa -out myAppName.key 2048
Generate csr file from private key:
openssl req -new -sha256 -key myAppNameCSR.key -out myAppName.csr
Upload csr file to apple to generate certificate
Download the certificate
Convert certificate to pem file
openssl x509 -in aps_development.cer -inform der -out myAppNameCert.pem
Generate pfx file
openssl pkcs12 -export -out myAppNameKey.pfx -inkey myAppNameCSR.key -in myAppNameCert.pem
To install the certificate in Windows Server:
Click Start > Run.
At the prompt, type in mmc, and then click OK to open the Microsoft Management Console.
Click File, and then click Add/Remove Snap-in.
Click Certificates from the list of available snap-ins, and then click Add..
Click Computer account.
Click Next, and then click Finish.
Click OK.
Right-click the Personal tree node and select All Tasks >Import.
Follow the Wizard, pointing it to the pfx file generated and provide the password used to secure it during creation.
Under the Personal tree node, double-click the Certificates folder.
Right-click the newly installed certificate.
Select All Tasks > Manage Private Keys.
In the Security tab, add the Network Service account providing Read access.
add the group IIS_IUSRS to the private key, and make sure it has full control.
Making a PEM File with Cygwin
So now you have these files:
The private key as a pfx file
The SSL certificate, aps_development.cer as pem file
Convert the pfx file to pem file:
openssl pkcs12 -nocerts -out myAppNameKey.pem -in myAppNameKey.pfx
Finally, combine the certificate and key into a single .pem file:
cat myAppNameCert.pem myAppNameKey.pem > ckDevelopment.pem
Hope this saves someone some time...
use Your keychain Access to genarate Certificate Signing Request
this tutorial might help you -
http://quickblox.com/developers/How_to_create_APNS_certificates
I've followed the instructions as I believe to sign my mobileconfig file so, with a users permission, I can correctly set their APN. However, when using this mobileconfig file the screen from iOS still continues to show "Not Verified". However, under 'More Details' it gives some encouraging information -- the signing certification information all seems correct.
i.e., I'm close - any ideas?
I've tried the basics -
iOS mobileconfig walkarounds
and variations, including not using the certificate chain.
How to Sign and verify a .mobileconfig file in apple
Export certificate from the key chain
keychain access --> Certifcates(LeftPanel)--> right click the particular certificate and export the certificate.
convert .p12 file to PEM file (converting use this link www.sslshopper.com/ssl-converter.html)
Eg: InnovCertificates.p12 to InnovCertificates.pem
Download Apple Root Certificate and Apple Intermediate Certificate
(For my .mobileconfig file verification i am used Apple Inc. Root Certificate(Apple Root Certificate) and
Application Integration Certificate (Apple Intermediate Certificate) certificates.
you can also use these certificates or other certificates that have in the apple certificates www.apple.com/certificateauthority/)
The download file is combination of certificate and keys . (Read the certificate in Terminal commands are following link info.ssl.com/article.aspx?id=12149)
From this certificate file we need extract certificate.
extract certificate from Apple Root Certificate. Then extract certificate from Apple Intermediate Certificate
openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.cer -out root.crt.pem
openssl x509 -inform DER -outform PEM -in AppleAAICA.cer -out Intermediate.crt.pem
open the two extracted file in text editor,
copy and paste the Intermediate.crt.pem to beginning of the root.crt.pem and save .then your root.crt.pem file is combination of two certificate.
Sign and verify the .mobileconfig file
Once you have all the files listed above, you will run a command like the following:
openssl smime -sign -in Example.mobileconfig -out SignedVerifyExample.mobileconfig -signer InnovCertificates.pem -certfile root.crt.pem -outform der -nodetach
The result .mobileconfig file is signed and verified.
Use full links:
1.renren.io/questions/637349/ios-mobileconfig-walkarounds
2.developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/smime.1ssl.html#//apple_ref/doc/man/1/smime
3.www.apple.com/certificateauthority/
4.www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
5.info.ssl.com/article.aspx?id=12149
6.www.sslshopper.com/ssl-converter.html
7.wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File
8.stackoverflow.com/questions/9277426/ios-mobileconfig-walkarounds
9.stackoverflow.com/questions/991758/how-to-get-an-openssl-pem-file-from-key-and-crt-files
10.discussions.apple.com/thread/2363234
I need cert.pem and key.pem for API(in my node js backend) but I just download .cert file from App IDs -> Edit -> Download. How can I get it, I can extract it from .cer file?
Generate a Push Certificate
To generate a certificate on a Mac OS X:
Log-in to the iPhone Developer Program Portal
Choose App IDs from the menu on the right
Create an App ID without a wildcard. For example 3L223ZX9Y3.com.armiento.test
Click the Configure link next to this App ID and then click on the button to start the wizard to generate a new Development Push SSL Certificate (Apple Documentation: Creating the SSL Certificate and Keys)
Download this certificate and double click on aps_developer_identity.cer to import it into your Keychain
Launch Keychain Assistant (located in Application, Utilities or search for it with Spotlight) and click on My Certificates on the left
Expand Apple Development Push Services and select Apple Development Push Services AND your private key (just under Apple Development Push Services)
Right-click and choose "Export 2 elements..." and save as server_certificates_bundle_sandbox.p12 (don't type a password).
Open Terminal and change directory to location used to save server_certificates_bundle_sandbox.p12 and convert the PKCS12 certificate bundle into PEM format using this command (press enter when asked for Import Password):
openssl pkcs12 -in server_certificates_bundle_sandbox.p12 -out server_certificates_bundle_sandbox.pem -nodes -clcerts
Now you can use this PEM file as your certificate in ApnsPHP!
Copied from:
http://www.pressmatrix.de/product-blog/apple-ios-push-notification-setup-guide/
Launch the Keychain Access tool and select My Certificates in the left hand panel.
Locate the certificate you wish to install and reveal its contents. There should be both a certificate and a private key inside.
Select both the certificate and private key, then click File and Export Items. Select Personal Information Exchange (.p12) as the output file format.
Move the CSR file, .p12 file and xxx.cer files into the same folder and navigate to that location within the terminal window.
Convert the xxx.cer file into a cert.pem file using the following command:
openssl x509 -in xxx.cer -inform der -out cert.pem
Convert the private key xxx.p12 into a key.pem file:
openssl pkcs12 -nocerts -out key.pem -in xxx.p12
Or refer to:
https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ProvisioningDevelopment.html#//apple_ref/doc/uid/TP40008194-CH104-SW5
I am working on an application where I will retrieve a public key for a user from our server. Once I have it, I need to do a RSA encryption using the public key. The public key obtained from the server is Base64 encoded.
How do I load the public key into the iOS KeyChain so that I can perform RSA cryptographic functions with it? Certificate loading seems to be trivial, but raw public keys don't.
This is not supported because it is the "wrong" way.
The "right" way is to use a certificate.
To quote "Quinn The Eskimo!".
This is surprisingly easy. You don't need to add the certificate to the keychain to handle this case. Rather, just load the certificate data (that is, the contents of a .cer file) in your application (you can either get this from your bundle or off the network) and then create a certificate ref using SecCertificateCreateWithData. From there you can extract a public key ref using a SecTrust object (SecTrustCreateWithCertificates, SecTrustEvaluate -- you can choose to ignore the resulting SecTrustResultType -- and SecTrustCopyPublicKey). And from there you can encrypt and verify using the SecKey APIs (SecKeyEncrypt, SecKeyRawVerify).
A tutorial on how to create a self-signed certificate is here.
The basic steps are:
#Make the -----RSA PRIVATE KEY----- file in PEM format
openssl genrsa -out privKey.pem 2048
#Make the -----CERTIFICATE REQUEST-----
openssl req -new -key privKey.pem -out certReq.pem
#Make the actual -----CERTIFICATE-----
openssl x509 -req -days 30 -in certReq.pem -signkey privKey.pem -out certificate.pem
#Make the DER certificate.crt file from the certificate.pem
openssl x509 -outform der -in certificate.pem -out certificate.cer
If you double click that .cer on a Mac machine, it will offer to import it into keychain.
Resources:
How to generate self signed certificates
Common SSL commands
The usual way of transporting a public key -is- inside a certificate, signed by some CA to prove that it is authentic.
Or maybe you are talking about a ssh public key?
in that case you would need a special ssh capable app to use it, these keys are usually not stored in the iOS keychain.
I found the necessary code on the Apple Site describing how to strip the ASN.1 header from the Public Key and load it into the KeyChain.