I've followed the instructions as I believe to sign my mobileconfig file so, with a users permission, I can correctly set their APN. However, when using this mobileconfig file the screen from iOS still continues to show "Not Verified". However, under 'More Details' it gives some encouraging information -- the signing certification information all seems correct.
i.e., I'm close - any ideas?
I've tried the basics -
iOS mobileconfig walkarounds
and variations, including not using the certificate chain.
How to Sign and verify a .mobileconfig file in apple
Export certificate from the key chain
keychain access --> Certifcates(LeftPanel)--> right click the particular certificate and export the certificate.
convert .p12 file to PEM file (converting use this link www.sslshopper.com/ssl-converter.html)
Eg: InnovCertificates.p12 to InnovCertificates.pem
Download Apple Root Certificate and Apple Intermediate Certificate
(For my .mobileconfig file verification i am used Apple Inc. Root Certificate(Apple Root Certificate) and
Application Integration Certificate (Apple Intermediate Certificate) certificates.
you can also use these certificates or other certificates that have in the apple certificates www.apple.com/certificateauthority/)
The download file is combination of certificate and keys . (Read the certificate in Terminal commands are following link info.ssl.com/article.aspx?id=12149)
From this certificate file we need extract certificate.
extract certificate from Apple Root Certificate. Then extract certificate from Apple Intermediate Certificate
openssl x509 -inform DER -outform PEM -in AppleIncRootCertificate.cer -out root.crt.pem
openssl x509 -inform DER -outform PEM -in AppleAAICA.cer -out Intermediate.crt.pem
open the two extracted file in text editor,
copy and paste the Intermediate.crt.pem to beginning of the root.crt.pem and save .then your root.crt.pem file is combination of two certificate.
Sign and verify the .mobileconfig file
Once you have all the files listed above, you will run a command like the following:
openssl smime -sign -in Example.mobileconfig -out SignedVerifyExample.mobileconfig -signer InnovCertificates.pem -certfile root.crt.pem -outform der -nodetach
The result .mobileconfig file is signed and verified.
Use full links:
1.renren.io/questions/637349/ios-mobileconfig-walkarounds
2.developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man1/smime.1ssl.html#//apple_ref/doc/man/1/smime
3.www.apple.com/certificateauthority/
4.www.rootmanager.com/iphone-ota-configuration/iphone-ota-setup-with-signed-mobileconfig.html
5.info.ssl.com/article.aspx?id=12149
6.www.sslshopper.com/ssl-converter.html
7.wiki.cac.washington.edu/display/infra/Extracting+Certificate+and+Private+Key+Files+from+a+.pfx+File
8.stackoverflow.com/questions/9277426/ios-mobileconfig-walkarounds
9.stackoverflow.com/questions/991758/how-to-get-an-openssl-pem-file-from-key-and-crt-files
10.discussions.apple.com/thread/2363234
Related
I've been using self-signed certificates in the intranet of my small office and after upgrading to iOS 11, the certificates does not work for me. (Chrome and other browsers are happy with them.)
I've got my self-signed root ca file and converted it to .der file, and installed it onto my iPad via web.
But unlike this Answer, I can't see my root ca certificate on the Settings > General > About > Certificate Trust settings.
Is there any limitations for the certificates to be trusted in iOS? Both my iPhone and iPad has this problem. Is there anything wrong in my procedure?
I used these codes to make my ca certificate.
openssl genrsa -des3 -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
openssl x509 -in rootCA.crt -out cert.der -outform DER
If you are not seeing the certificate under General->About->Certificate Trust Settings, then you probably do not have the ROOT CA installed. Very important -- needs to be a ROOT CA, not an intermediary CA.
This is very easy to determine by using openssl:
$ openssl s_client -showcerts -connect myserver.com:443 </dev/null
This will show you output for certificates in the cert chain, something like this:
Certificate chain
0 s:/C=US/ST=California/L=SAN FRANCISCO/O=mycompany.com, inc./OU=InfraSec/CN=myserver.com
i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal CA 1A
-----BEGIN CERTIFICATE-----
....encoded cert in PEM format....
-----END CERTIFICATE-----
And it should show a chain of certs all the way to the ROOT CA. Keep following the output, paying attention to the "i:" value which indicates the ISSUER. Finally, you should get to the ROOT CA and can just copy-paste it to a .pem file (be sure to include the BEGIN CERTIFICATE and END CERTIFICATE lines!). Now you will be able to install it on your simulator by dragging-dropping onto simulator window.
If your ROOT CA is not listed, then find the top level in the output, then export it from Keychain Access.app. This assumes you are able to hit the website via Safari/Chrome, so you will have had to manually trust the website first.
My 'openssl s_client' output ended with the last cert shown with an issuer like this:
i:/C=US/O=mycompany.com, inc./CN=mycompany.com Internal Root CA 1
I am able to hit the target website successfully via Safari/Chrome, so that means Keychain has it stored and trusts it. So, I just launched Keychain Access.app via Spotlight and typed "mycompany" in the search bar. It showed my certificate (Kind=certificate) for "mycompany.com Internal Root CA 1". I just right clicked and selected "Export" and saved it to a .cer file.
Voila! Now I can drag-n-drop it onto my simulator and the ROOT CA will show up under General->About... and I can enable it.
If, for some reason you need to convert PEM file to DER/CER, just use this command:
$ openssl x509 -in myfile.pem -out myfile.der -outform DER
Hope this helps, I've had to do this dozens of times and figured it's about time I jot down some notes so I don't keep forgetting.
Apparently ios does not like certificates without Common Name, so just regenerate it with non empty CN and it will appear in root certificates list
Just use following command then airdrop or send yourself that cert via email.
Make sure to answer all the questions when you see prompts
openssl genrsa -out privatekey.pem 1024
openssl req -new -x509 -key privatekey.pem -out publickey.cer -days 1825
openssl pkcs12 -export -out public_privatekey.pfx -inkey privatekey.pem -in publickey.cer
I had same issue until I used this command. I don't know why this happens but the command works.
Cheers!
I'm attempting to follow these instructions to set up my S3 API to send push notifications to my iOS app.
I'm making a mess of the certificate issues, so I was hoping someone could help sort me through them.
So far, I've created a CSR, uploaded it to Apple Dev portal, and downloaded a .cer file. I then converted the cer into a pem
openssl x509 -in apns-dev.cer -inform DER -out apns-dev.pem
Then I ran into the instruction to "Open Keychain Access, select Keys, and then highlight your app private key." Not knowing what my "app private key" was, I've tried a couple things:
Grabbing the preexisting private-key file in the app's cert folder (an RSA private key which was not, to my knowledge, used to generate the above CSR).
Exporting my default system private key as a p12 and then converting it, per AWS instructions, into a pem key.
Trying to generate a new CSR directly from my system private key in Keychain Access
However, whenever I follow the instructions to "test" the private/public key pair (openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev.pem -key apns-private.pem), I get this:
error setting private key
41047:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/x509/x509_cmp.c:406:
I've looked at the following questions, but haven't been able to use their answers to figure this out:
Does the apple push notification distribution certificate signing request need to be the same as that used for the distribution cert to sign the app? - When I try to "expand" the cert in Keychain Access, all I see is info. There is no private key info, and I can't "Export 2 items"
Apple Push Notification error setting private key (the self-given answer here conflicts with the above, and at any rate, I no longer have the original CSR)
Unable to load client certificate private key file - My private key file isn't empty, and I did enter the passphrase correctly
Any idea what could be going on? I'm just shooting in the dark here.
Don't use Apple's instructions to generate the CSR.
Generate key:
openssl genrsa -out $app.key 2048
Generate CSR:
openssl req -new -key $app.key -out $app.csr
And enter the relevant data.
Upload CSR to Apple. Download certificate.
Convert certificate to PEM:
openssl x509 -inform DER -in $app.cer -out $app.pem
Now you have the key in $app.key, and a PEM-encoded certificate in $app.pem. You can then install both on the box that will be connecting to APNS (depending on the software you use, they might be separate files, or you may just append the key to the certificate file).
I'm working on a project for a client. I have two .cer files (developer and distribution) both are loaded into Keystore Access on Mac OS X. However I'm unable to export as a .p12 file.
Alternatively I tried OpenSSL but still no luck...
openssl pkcs12 -export -in followMe_ios_development.cer -out followMe_ios_development.p12 -clcerts -nokeys
How can I export this .cer file as a .p12 so I can compile this app for iOS?
What works for me dealing with Push Notification certifies has been:
Open the certificate: open my_filename.cer and click "View Certificates" to see the certificate's name
Go to Applications -> Utilities -> Keychain Access
Ensure you have selected the "login" keychain, not the "system" one (thanks to #Matt Flettcher )
Go to "Certificates"
Look for the desired certificate
Ensure that you can expand it and see under it the original ".certSigningRequest" used to generate the certificate
At this moment you should be able to export it as ".p12"
try this:
given you have files as follow:
aps.cer, downloaded from Apple.
app.key, your own private key generated by openssl.
1st, convert the .cer file into .pem format:
openssl x509 -in aps.cer -inform DER -out aps.pem -outform PEM
2nd, use the .pem file and your private .key to generate .p12 file:
openssl pkcs12 -export -out aps.p12 -inkey app.key -in aps.pem
this should prompt to ask a password for this .p12 file.
CF:
aps_developer_identity.cer to p12 without having to export from Key Chain?
Creating a .p12 file
I had the same problem. .p12 Export was not available, only .p7b
I solved it very easily:
You donĀ“t select your certificate via the "certificates" directory on the lower left, but via the "My Certificates" directory.
Like this, an arrow should show up left of your certificate.
Click it, and you will see your private Key.
Right-Click on your private Key and select the "export Key" option. Now you can create a .p12 Certificate File, just as the doctor ordered.
Good Luck!
You should select both cert and private key. Then you will able to export certs with p12 extension.
In my case I'm trying to create a pfx/PKCS12 file and have tried the given commands and ran through couple of issues out of which one was : Unable to load certificate even I'm doing right. So then tried with the below one command instead of few others:
openssl pkcs12 -export -out requiredPFXfile.pfx -inkey yourPrivateKey.key -in yourcertificate.cer
Please find link for more details :-
https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/
I'm newbie to SSL & certs stuff & can't judge on other answers,appreciate everyone's work here!!
In my case the abilty to export in p12 format depends on certificate type. For "Apple Distribution" certificate type it is disabled, right like in your case.
When I created new certificate with type "IOS Distribution (App Store and Ad Hoc)" and processed it right like previous one, the p12 format became available in export dialog.
I'm trying to generate a new push notifications certificate on my IIS.
In the past I used to go to IIS mamager --> Server Certificates then select "Create Certificate Request", fill out the details and it generated a txt file which I uploaded to apple to generate and download the cer file.
My problem is that for some reason I can't upload this text file. I get this message:
Invalid CSR
Select a valid Certificate Signing Request
anyone encountered this issue?
Finally got it working.
This is what I did:
In IIS using Cygwin:
Generate private key:
openssl genrsa -out myAppName.key 2048
Generate csr file from private key:
openssl req -new -sha256 -key myAppNameCSR.key -out myAppName.csr
Upload csr file to apple to generate certificate
Download the certificate
Convert certificate to pem file
openssl x509 -in aps_development.cer -inform der -out myAppNameCert.pem
Generate pfx file
openssl pkcs12 -export -out myAppNameKey.pfx -inkey myAppNameCSR.key -in myAppNameCert.pem
To install the certificate in Windows Server:
Click Start > Run.
At the prompt, type in mmc, and then click OK to open the Microsoft Management Console.
Click File, and then click Add/Remove Snap-in.
Click Certificates from the list of available snap-ins, and then click Add..
Click Computer account.
Click Next, and then click Finish.
Click OK.
Right-click the Personal tree node and select All Tasks >Import.
Follow the Wizard, pointing it to the pfx file generated and provide the password used to secure it during creation.
Under the Personal tree node, double-click the Certificates folder.
Right-click the newly installed certificate.
Select All Tasks > Manage Private Keys.
In the Security tab, add the Network Service account providing Read access.
add the group IIS_IUSRS to the private key, and make sure it has full control.
Making a PEM File with Cygwin
So now you have these files:
The private key as a pfx file
The SSL certificate, aps_development.cer as pem file
Convert the pfx file to pem file:
openssl pkcs12 -nocerts -out myAppNameKey.pem -in myAppNameKey.pfx
Finally, combine the certificate and key into a single .pem file:
cat myAppNameCert.pem myAppNameKey.pem > ckDevelopment.pem
Hope this saves someone some time...
use Your keychain Access to genarate Certificate Signing Request
this tutorial might help you -
http://quickblox.com/developers/How_to_create_APNS_certificates
I need cert.pem and key.pem for API(in my node js backend) but I just download .cert file from App IDs -> Edit -> Download. How can I get it, I can extract it from .cer file?
Generate a Push Certificate
To generate a certificate on a Mac OS X:
Log-in to the iPhone Developer Program Portal
Choose App IDs from the menu on the right
Create an App ID without a wildcard. For example 3L223ZX9Y3.com.armiento.test
Click the Configure link next to this App ID and then click on the button to start the wizard to generate a new Development Push SSL Certificate (Apple Documentation: Creating the SSL Certificate and Keys)
Download this certificate and double click on aps_developer_identity.cer to import it into your Keychain
Launch Keychain Assistant (located in Application, Utilities or search for it with Spotlight) and click on My Certificates on the left
Expand Apple Development Push Services and select Apple Development Push Services AND your private key (just under Apple Development Push Services)
Right-click and choose "Export 2 elements..." and save as server_certificates_bundle_sandbox.p12 (don't type a password).
Open Terminal and change directory to location used to save server_certificates_bundle_sandbox.p12 and convert the PKCS12 certificate bundle into PEM format using this command (press enter when asked for Import Password):
openssl pkcs12 -in server_certificates_bundle_sandbox.p12 -out server_certificates_bundle_sandbox.pem -nodes -clcerts
Now you can use this PEM file as your certificate in ApnsPHP!
Copied from:
http://www.pressmatrix.de/product-blog/apple-ios-push-notification-setup-guide/
Launch the Keychain Access tool and select My Certificates in the left hand panel.
Locate the certificate you wish to install and reveal its contents. There should be both a certificate and a private key inside.
Select both the certificate and private key, then click File and Export Items. Select Personal Information Exchange (.p12) as the output file format.
Move the CSR file, .p12 file and xxx.cer files into the same folder and navigate to that location within the terminal window.
Convert the xxx.cer file into a cert.pem file using the following command:
openssl x509 -in xxx.cer -inform der -out cert.pem
Convert the private key xxx.p12 into a key.pem file:
openssl pkcs12 -nocerts -out key.pem -in xxx.p12
Or refer to:
https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ProvisioningDevelopment.html#//apple_ref/doc/uid/TP40008194-CH104-SW5