I already found a thread with a similar topic but I wasn't able to solve my problem this way, so I hope I get help here.
I'm trying to sign a iPhone config profile with my servers SSL certificate on Mac OS X:
openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile ca.crt -outform der -nodetach
Unfortunately I get the following error
unable to load certificate
I'm don't know what I'm doing wrong - I use the following certs:
server.crt:
-----BEGIN CERTIFICATE-----
MIIHV.....
-----END CERTIFICATE-----
server.key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC, .....
sHK1......
-----END RSA PRIVATE KEY-----
ca.crt:
from http://www.startssl.com/certs/
All certificates are in the same folder 'iphone' I changed to with
ch /Volumes/Daten/.../iphone
So now I'm on
localhost:iphone Stefan$
Many thanks for your help in advance!
Regards
Stefan
The answer is:
openssl smime -sign -signer cert.pem -inkey key.pem -certfile ca-bundle.pem -nodetach -outform der -in profile-uns.mobileconfig -out profile-sig.mobileconfig
with ca-bundle.pem is the cert chain of a CA.
Related
I had export .cer file from keychain and using below command try to convert in .pem file but in resulted .pem file missing
-----BEGIN PRIVATE KEY-----
please any one can give another way to do that
command are like
openssl pkcs7 -text -in certfile.cer -print_certs -outform PEM -out certfile.pem
If anyone wants to use command which is recommended for creating pem file,
then here is solution on my gist.
openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
openssl pkcs12 -nocerts -in PushChatKey.p12 -out PushChatKey.pem
cat PushChatCert.pem PushChatKey.pem > ck.pem
First 3 commands will generate pem, but if you want to test then 4th and 5th command will be necessary.
If you got error that about unknown command 'telnet' then install telnet from brew.
Also, I have the same issue when I convert .p12 file into .pem file
when I open that .pem file in that missing ----BEGIN PRIVATE KEY-----
So after searching find out solution use this convert .p12 to .pem
openssl x509 -inform der -in certificate.cer -out certificate.pem
Look no further. This is all that it takes.
I using following comment to generate p12 file,
openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
openssl pkcs12 -export -inkey mykey.pem -in developer_identity.pem -out iphone_dev.p12
p12 file was generated successfully for development but it wont work for distribution...
I got error in the last step, asking password for mykey.pem file after give password it shows
"No certificate matches private key"
Enter pass phrase for mykey.pem:
No certificate matches private key
Can any one help me with this?
I change .cer file for distribution but forget get .p12 file from keychain for distribution...
after get .p12 file from keychain its working.
Following procedure does not work,openssl at 4th step raisesĀ "No certificate matches private key". It works without -certfile parameter so is it really required? I saw same procedure at several places on the net. So is it really appropriate or am i doing something wrong?
Also OS X procedure only says to export certificate but should not it be both cert and pkey.
OpenSSL
Here is how to create a PKCS12 format file using open ssl, you will need your developer private key (which can be exported from the keychain) and the CertificateSigningRequest??.certSigningRequest
Convert apn_developer_identity.cer (der format) to pem: openssl x509 -in apn_developer_identity.cer -inform DER -out apn_developer_identity.pem -outform PEM
Next, Convert p12 private key to pem (requires the input of a minimum 4 char password): openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12
(Optional): If you want to remove password from the private key: openssl rsa -out private_key_noenc.pem -in private_key.pem
Take the certificate and the key (with or without password) and create a PKCS#12 format file: openssl pkcs12 -export -in apn_developer_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest??.certSigningRequest -name "apn_developer_identity" -out apn_developer_identity.p12
http://code.google.com/p/apns-sharp/wiki/HowToCreatePKCS12Certificate
I have a certificate and private key that I want to put together, in code, into a PKCS12 file with the OpenSSL library (libcrypto). I know how to do this via the command-line tool:
$ openssl x509 -in developer_identity.cer -inform DER -out developer_identity.pem -outform PEM
$ openssl pkcs12 -nocerts -in mykey.p12 -out mykey.pem
$ openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iphone_dev.p12
But how can I do it in code?
If you are willing to use C code in your objective-C code and you have OpenSSL library for iOS then you can do it.
You can use PKCS12_create function to create a PKCS12 structure and write it to file using i2d_PKCS12_bio function.
PKCS12_create takes the certificate, private key, passphrase, chain of CA certificates and other parameter.
It is explained in a pretty well manner in documentation.
I hope this will help you to start coding.
So, I've been looking around a lot of how to create a p12 file for iPhone development, and I think I'm doing exactly as I am supposed to, but at the last step I get some errors that are more or less impossible to decipher.
I am running Windows 7, and these are the steps I do:
1) Create the private key. I do this by running this command (cmd is opened in Administrator mode):
openssl genrsa -out mykey.key 2048
2) Create the CSR file
openssl req -new -key mykey.key -out developer_identify.csr
3) Upload the csr file to the iPhone dev site. Here I do the following:
Click on menu Identifiers --> App IDs, select the correct App ID, click Edit, click Create Certificate, click Continue, select the CSR-file created above and proceed. Wait for the site to tell me its all OK, and then download the *aps_development.cer* file.
4) Create the PEM file:
openssl x509 -in aps_development.cer -inform DER -out
developer_identity.pem -outform PEM
5) And lastly, create the p12 file (and this is where it fails):
openssl pkcs12 -export -inkey mykey.key -in developer_identity.pem
-out iphone_dev.p12
The output after the last command:
Loading 'screen' into random state - done
Enter Export Password:
Verifying - Enter Export Password:
8216:error:060740A0:lib(6):func(116):reason(160):NA:0:
8216:error:23077073:lib(35):func(119):reason(115):NA:0:
8216:error:2306C067:lib(35):func(108):reason(103):NA:0:
8216:error:23073067:lib(35):func(115):reason(103):NA:0:
The p12 file is 0 bytes.
The PEM file looks alright, starts with
-----BEGIN CERTIFICATE-----
then a lot of jibberish and then ends with
-----END CERTIFICATE-----